I love OWASP (I wanted to get that out of the way) but they let their TLS certificate expire yesterday:
Should it have happened to an organization whose whole goal is to secure web applications?
No.
There are a million reasons why their TLS certificate could have expired and plenty of reasons it shouldn’t have (OWASP uses letsencrypt for their TLS certificate which can automatically renew certificates and sends you email when they are close to expiring).
Is it forgivable?
Yes.
Expired certificates, missing patches and unknown cloud services haunt every security organization. Some people look at these things as *easy* to fix and if you miss them you dont care about security… most of those people have usually never worked in operational security.
Why did it happen?
Operational Security Is Hard.
Being perfect is impossible. Stephen Curry (Arguably the best shooter in the NBA) only makes 90% on his free throws. So everyone is going to miss a patch, let a certificate expire and have unknown cloud services. It.Is.Going.To.Happen.
What can we learn from this?
A lot.
How would your organization have handled this on Saturday morning? Would you have been able to update your certificate in an hour on a Saturday morning? If you know the answer to those questions you can pick a tweet from @badthingsdaily and work through it with your team.
Let me know your thoughts on twitter.
Reminder: Operational Security Is Hard
