Does the growing industry-wide participation in the Core Infrastructure Initiative mean that it still makes sense...
from a security perspective to incorporate OpenSSL into our applications?
The first thing any enterprise that uses OpenSSL needs to do is ensure any affected applications are upgraded so that they are using the latest version of OpenSSL (which no longer contains the Heartbleed flaw). Those with certificates vulnerable to the Heartbleed bug should ask their certificate authority how compromised keys can be revoked and new certificates issued. Those who issue self-signed certificates should revoke and reissue them as soon as they have upgraded their OpenSSL software. Longer term, enterprises need to assess whether continuing to use OpenSSL is the best way forward.
The quality of open source software depends on a knowledgeable and active community of developers who work following a clear policy that covers how contributions are evaluated and included and how errors and problems are handled. The open source Linux operating system, for example, benefits from improvements and fixes from developers around the world contributing changes at a rate of nine per hour.
Although OpenSSL is widely deployed, it turns out it hasn't been widely supported. The OpenSSL project has been surviving on around $2,000 a year in donations with one full-time employee. This is nowhere near enough resources to properly sustain such complex software, and ongoing reviews of the OpenSSL code show that it was becoming bloated and poorly maintained. The Heartbleed flaw didn't occur because OpenSSL is open source; it happened because the project didn't receive the support it needed.
In response to these revelations, the Linux Foundation has set up the Core Infrastructure Initiative (CII) to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The companies that have joined this initiative include Amazon Web Services, Cisco, Dell, Facebook, Google, IBM, Intel, Microsoft, NetApp and VMware. Each is pledging $100,000 a year for the next three years.
OpenSSL will be one of the first software projects to receive CII funding to provide compensation to developers who will work full time, conduct reviews and security audits, deploy test infrastructure and facilitate travel and face-to-face meetings among developers. While this funding will invariably help improve the OpenSSL code, remember that it will take time. Those using OpenSSL should bring their applications up to date whenever new versions are released.
Enterprises that need an actively supported cryptographic library have limited choices: Microsoft's Cryptography API: Next Generation (CNG) and GNU Crypto for Java are the only obvious options. Alternately, OpenBSD founder Theo de Raadt has started a fork of OpenSSL as a potential replacement; LibreSSL is supported financially by the OpenBSD Foundation and OpenBSD Project. However, it will only be offered for the OpenBSD operating system until the code and a stable commitment of further funding are in place.
The key lesson enterprises should learn from Heartbleed is that they can't rely on someone else's assurance that the software securing their key data is in fact secure. Security teams need to conduct their own risk assessment and test that the code or component is secure against the most common and pertinent threats their applications face. Bugs in software are a fact of life, so enterprises that make use of open source libraries should strongly consider contributing to the projects that maintain them. It is a lot cheaper than funding an in-house team of cryptographers or recovering from vulnerabilities such as Heartbleed.
Get help with open source code management
Learn how to safely deploy open source tools
Dig Deeper on Open source security tools and software
Related Q&A from Michael Cobb
Android encryption on devices using Qualcomm chips can be broken due to two vulnerabilities. Expert Michael Cobb explains how these flaws affect ...continue reading
A flaw that allows attackers to load malicious DLL files in Symantec products was labeled as severe. Expert Michael Cobb explains the vulnerability ...continue reading
Mobile apps using insecure OAuth could lead to over one billion user accounts being attacked. Expert Michael Cobb explains how developers can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.