Heartbleed is an major security problem found in OpenSSL, a very popular encryption package.
An excellent (code-level) technical description can be found at the Register.
Unfortunately, there are a LOT of embedded systems out there with no easy way to patch.
Action items for everyone:
- Download and review the OWASP Top Ten
- Make sure you are using static code analysis tools to catch common errors. A reporting “kitchen sink” Maven project posted on our GitHub which includes a lot of reports, such as test coverage, static code analysis, code complexity, and much more.
- Be sure you understand how important test suites, code coverage tools, and deployment automation are for both preventing these issues and being able to quickly deploy when there are updates. Including being able to quickly test that the applications still work when patches come out.
The guy who checked in the OpenSSL bug is now famous... lucky him. >_<