Heartbleed Discoverer Speaks Out Codenomicon CEO Calls for Greater Emphasis on App Security
Heartbleed Discoverer Speaks Out
Codenomicon Chief Executive David Chartier
The chief executive of the Finnish company that uncovered the Internet website vulnerability known as Heartbleed says security practitioners should rethink how they approach IT security by placing a greater emphasis on vetting software for vulnerabilities.

Codenomicon CEO David Chartier says a widely used security practice called block and protect "doesn't work anymore because so many of the exploits are written on unknown vulnerabilities that you can't block or detect very easily."

In an interview with Information Security Media Group, Chartier says the Heartbleed bug illustrates the need to properly test and vet the critical software components and applications to identify unknown weaknesses in them. "The best defense is to have secure software," says Chartier, who leads a company that generates revenue from testing software and services to ensure their security and robustness.

Researchers working for Codenomicon discovered April 4 the flaw in the Open Secure Socket Layer, a protocol that encrypts sessions between user devices and websites. The protocol is known as "heartbeat" because it allows the relaying of messages back and forth (see Heartbleed Bug: What You Need to Know ). A Codenomicon researcher christened the flaw Heartbleed. After developing a fix over the weekend, Codenomicon and Google, which also discovered the flaw, disclosed the vulnerability on April 7.

In the interview, Chartier explains:

  • Why it took researchers two years to identify the flaw;
  • The potential catastrophic results Heartbleed could cause; and
  • How the open source community helped spread word about the vulnerability and its fix once it became known.

Codenomicon, founded in 2001, develops vulnerability testing tools known as fuzzing tools for manufacturers, service providers and government, defense and enterprise customers. Chartier says Codenomicon discovered the flaw in OpenSSL while developing one of its products.

Chartier has 20 years of technology industry experience that includes serving as chairman of Maxware, the identity management solutions provider that SAP acquired in 2007. He also has held CEO positions for startup companies that include enterprise search and monitoring solutions provider IntelliSearch and IT solutions provider Computas, along with serving as chairman of Active ISP, a web hosting firm. Chartier founded E-commerce services provider InfoStream and led the company through a successful initial public offering in 1999.




Around the Network