Friday, April 18, 2014

Heartbleed, meet Google App Engine


The Heartbleed Overflow Issue is a bug that adversely affects network security. By exploiting this vulnerability, encrypted data may become compromised during transmission. Individuals responsible for hosting web applications that require a high level of security may find themselves scrambling to find ways to patch their servers so as to minimize Heartbleed's impact on their operations. That is, those individuals who aren't hosting their applications on Google App Engine.

Background

On April 7, 2014, The OpenSSL Foundation released a fixed version of OpenSSL, a popular open source encryption library used to secure network communications. This release addresses the "Heartbleed" overflow issue widely reported through mainstream media.

In order to incorporate the fixes of the new version of OpenSSL, organizations must patch their systems with an updated version of the software. For some, this may be a very short, simple process. However, for some, this process is much more involved. For example, applications that are built using older version of OpenSSL may not be compatible with the new version of the library. Moreover, some applications will need to be recompiled and linked to the new library. Others still may be dependent on a specific version of the library and may not have the option to patch.

For applications such as these, Heartbleed may be a serious concern.

However, for those hosting their applications on Google App Engine, this is a non-issue.

Google App Engine

Google App Engine is an application hosting platform provided by Google as a part of the Google Cloud Platform suite of products. Unlike many competing cloud computing platforms, developers deploy their applications to Google App Engine while leaving the administration of the platform up to Google.

Consider the platforms provided by some other cloud computing providers. Frequently, the developer is provided a virtual server where they can install the applications and libraries of their choosing. While providing significant flexibility, this also requires that the developers or system administrators must still engage in typical administrative tasks, such as cleaning disks, parsing logs, and patching software. That is, some poor soul is still stuck going from system to system updating their software to use the fixed version of OpenSSL.

As a Platform as a Service (PaaS) solution, Google App Engine doesn't require any of this extra effort. Google App Engine was designed to allow developers to focus on developing applications while leaving the hosting of those applications to Google's engineers. That is developers for applications hosted on Google App Engine don't have to worry about issues like scalability, log file maintenance, swap space, hard drive partitioning, data replication, caching servers -- they're left to focus on their applications.

On April 9, 2014, Google announced (link) that Google App Engine has been updated to use the most recent version of OpenSSL. That is, shortly after the announcement of a fix for the Heartbleed overflow issue, the solution was applied to the servers hosting Google App Engine applications.

Simply put, Google took fast, decisive action to neutralize the potential threat posed by Heartbleed — with no additional action required by the individual developers who host their applications on its App Engine platform.

Heartbleed, meet Google App Engine.


--
Wes Dean, a Google Apps Certified Deployment Specialist and a Google Apps Trusted Tester, is Principal of KDA Web Technologies, a Google-Centric development firm and a Google Apps Authorized Reseller. To learn how Wes and KDA Web Technologies can help you, go to www.kdaweb.com.