• United States




Hundreds of cloud apps still vulnerable to DROWN

Mar 22, 20164 mins
Application SecurityNetwork SecuritySaaS

Complacency in addressing known vulnerabilities puts users at risk

If you have even a passing interest in security vulnerabilities, there’s no chance that you missed the news about the DROWN vulnerability. It’s one of the biggest vulnerabilities to hit since Heartbleed, potentially impacting a third of all HTTPS websites. By exploiting the obsolete SSLv2 protocol, this flaw makes it possible for an attacker to eavesdrop on a TLS session.

Because we use SSL and TLS encryption to shop, send messages, and send emails online, DROWN potentially allows attackers to access our messages, passwords, credit card details, and other sensitive data.

DROWN was disclosed on March 1, but a full week later Netskope identified 676 SaaS applications that were still vulnerable to the attack. This highlights a recurring problem we see time and time again in the security industry — a failure to remediate vulnerabilities.

Detecting issues is only the first step, companies must take action to close loopholes and protect their customers.

Interestingly, Netskope also pointed out that of those 676 SaaS apps, 73 are also still vulnerable to FREAK, 42 are still vulnerable to Logjam, and 38 are still vulnerable to OpenSSL CCS attack.

The longer it takes to deal with a known vulnerability, the higher your risk of a successful attack. Known vulnerabilities still pose the biggest IT security threats, and there’s little sign that’s going to change any time soon.

We saw the same pattern of complacency after the Heartbleed vulnerability was unveiled. A full year later, 74% of Global 2000 companies with public-facing systems vulnerable to Heartbleed had failed to remediate the problem across all servers, according to security firm, Venafi.

Netskope has been posting daily updates on DROWN, and it’s clear that some companies are taking action, but as of March 14, two weeks after the disclosure, there are still 513 vulnerable apps.

Dealing with DROWN

There has been some disagreement about how easy it is to exploit DROWN, but it’s certainly a potentially serious vulnerability that’s worth addressing. You can check to see whether your own website is vulnerable by visiting the DROWN Attack website.

It’s also not especially difficult to remediate, simply don’t allow SSLv2 on any of your servers, and ensure that private keys are not being used anywhere with server software that allows SSLv2 connections. This is an obsolete protocol that should have already been removed due to its inherent weaknesses.

Vulnerabilities like DROWN and FREAK really highlight the dangers of obsolete cryptography. This is something we should all be taking more seriously.

There’s a real need to break down department barriers, so that threats can be dealt with efficiently and in a timely fashion. The latest IT Security and Operations Survey from BMC and Forbes Insights, found that 44% of data breaches in the U.S. and Europe are caused by known vulnerabilities. The report lays the blame on a disconnect between security and IT operations teams, which often have different goals and priorities. Lack of communication, coordination, and proper oversight is disastrous for data security.

It’s up to CIOs, working with the CISO, to ensure that security and IT groups work more closely together, not just to identify issues but to fix them as quickly as possible. Organizations need to understand that these kinds of vulnerabilities are not just a theoretical concern.

It’s also not always possible to determine when data has been breached. It can also be difficult to categorize threats and understand their severity. But one thing is perfectly clear: burying your head in the sand and failing to deal with a known vulnerability puts your customer’s data and potentially the future of your business at serious risk.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.