Securing Open Source Post-HeartbleedExperts Analyze Tech Firms' Announcement to Fund Open Source
With the news that several large technology companies are going to assist in funding critical open source projects such as OpenSSL following the Heartbleed exploit, security experts say the move can make a difference in ensuring better security.
See Also: Data Center Security Study - The Results
The Linux Foundation, a non-profit consortium dedicated to fostering the growth of Linux and collaborative software development, this week announced the creation of the Core Infrastructure Initiative.
In an April 24 press release announcing the project, The Linux Foundation says the initiative will enable technology companies to collaboratively identify and fund open-source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.
"The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions," the foundation says in a statement. "Galvanized by the Heartbleed OpenSSL crisis, the initiative's funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders."
The first project under consideration to receive funds from the initiative will be OpenSSL, which the foundation says could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews and improving responsiveness to patch requests.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
Founding backers of the initiative include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.
"If those involved actually dedicate time to addressing the issues, it will [make a difference]," says information security and privacy specialist Rebecca Herold. "Currently we are depending upon an assumption that the general population of IT folks will diligently inspect and vet open source code on an ongoing basis."
Herold continues: "The fact that it took two years to find the Heartbleed code error demonstrates the dangerous flaw in this assumption."
Heartbleed: The 'Bellwether Call'
Security analysts generally support this new initiative as a positive step forward for securing open source projects.
Heartbleed is the "bellwether call," Herold says, that was needed to change how open source is managed and vetted, "especially when open source code such as OpenSSL is depended upon to be the strong and dependable security tool used by millions of sites and devices.
"It's really pretty crazy, given our dependence on information security open source code, that this type of project has not been done before now," she says.
Avivah Litan, analyst at Gartner Research, says that because open source code has generally been more secure than proprietary code, organizations have gotten away with not funding these initiatives. "But the world's gotten a lot more complicated, systems are more complicated, and a system like OpenSSL is embedded everywhere and it's become a critical piece of infrastructure that we can't afford to be vulnerable," she says.
Alan Brill, senior managing director at security advisory firm Kroll Solutions, is hopeful this initiative will make a real difference to improving open source projects. "Open source code can be of immense value, but there is a need for a transparent review function, so that part of the process is a review," he says. "Clearly, there will need to be careful contractual wording to define responsibility and liability where volunteer reviewers don't see a problem that turns out to be serious."
Funding Open Source
Steve Marquess, co-founder and president of the OpenSSL Software Foundation, recently posted an open letter detailing the financial burdens impacting his organization.
"OSF typically receives about $2,000 a year in outright donations," he says. With news of Heartbleed and reports of the amount of funding OSF receives, recent support has netted the foundation close to $9,000.
"Even if those donations continue to arrive at the same rate indefinitely (they won't), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess says.
"While OpenSSL does 'belong to the people,' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support," he says. "The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."
The Linux Foundation references the lack of funding OpenSSL receives. "As this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support to commensurate with their importance," the foundation says. "The Core Infrastructure Initiative will change funding requests from reactive post-crisis asks of today [like Heartbleed] to proactive reviews identifying the needs of the most important projects."
Preventing Future Heartbleeds
Even with the additional funding that will start going to critical open source projects such as OpenSSL, experts warn another "Heartbleed-type" incident could occur.
"It's certainly possible," Brill says. "For every organization, issues arise, whether from a flaw in open source code or issues relating to proprietary systems, database security or any of a wide range of problems."
The key, he says, is for organizations to recognize the risks and to have a plan to deal with them. "These [plans] should be tested regularly so that when a real issue [like Heartbleed] occurs, the organization can execute the plan and get through the issue with minimum disruption."
The chance of another major security incident is even greater when complex systems and networks are involved, Herold says. "However, with more structured, consistent and thorough oversight and review, that hopefully this project will bring, the risks should be significantly lessened," she says. "The risk of another Heartbleed should be very, very low with an established and effective oversight process in place that this project will reportedly bring."
Also in response to Heartbleed, the Office of the Comptroller of the Currency on April 25 issued an updated statement on the vulnerability, referring to an April 10 notice from the Federal Financial institutions Examination Council on expectations for financial institutions regarding patching systems and services, applications and appliances using OpenSSL (see: Heartbleed: Gov. Agencies Respond).
"Since the FFIEC alert, additional information regarding the OpenSSL vulnerability has emerged, indicating that it may affect a range of technologies including, but not limited to, internally and externally facing servers, network devices, printers, applications and mobile devices," the OCC says.
"Given the evolving information about the scope and nature of this vulnerability, banks should remain vigilant and continue their ongoing risk assessments and monitoring to detect and prevent against unauthorized access to customer information," the agency says.
The OCC recommends banks ensure third-party vendors take appropriate risk mitigation steps and then monitor the status of the vendors' efforts. The OCC recommends resources including OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," as well as controls outlined by the Financial Services Information Sharing and Analysis Center to assess the security process maturity of vendors, among other things.
Breach detection firm Mandiant also announced that an attacker posing as an authorized user tunneled into the computer system of an unidentified major corporation, exploiting the vulnerability in the OpenSSL protocol (see: Mandiant: Heartbleed Leads to Attack).
The April 18 announcement from Mandiant follows reports of at least two other breaches tied to Heartbleed. Canadian authorities arrested a teenager for his alleged role in exploiting the vulnerability to steal data from the Canada Revenue Agency website. And in the UK, the website Mumsnet forced all of its users to change their passwords after it discovered that a cyber-attacker had taken advantage of the Heartbleed bug to access data from users' accounts.