Spartak - Fotolia

Manage Learn to apply best practices and optimize your operations.

Will the Core Infrastructure Initiative improve open source safety?

Industry participation in the Core Infrastructure Initiative is growing, but how will it affect open source security? Security expert Michael Cobb explains.

Does the growing industry-wide participation in the Core Infrastructure Initiative mean that it still makes sense from a security perspective to incorporate OpenSSL into our applications?

The first thing any enterprise that uses OpenSSL needs to do is ensure any affected applications are upgraded so that they are using the latest version of OpenSSL (which no longer contains the Heartbleed flaw). Those with certificates vulnerable to the Heartbleed bug should ask their certificate authority how compromised keys can be revoked and new certificates issued. Those who issue self-signed certificates should revoke and reissue them as soon as they have upgraded their OpenSSL software. Longer term, enterprises need to assess whether continuing to use OpenSSL is the best way forward.

The quality of open source software depends on a knowledgeable and active community of developers who work following a clear policy that covers how contributions are evaluated and included and how errors and problems are handled. The open source Linux operating system, for example, benefits from improvements and fixes from developers around the world contributing changes at a rate of nine per hour.

Although OpenSSL is widely deployed, it turns out it hasn't been widely supported. The OpenSSL project has been surviving on around $2,000 a year in donations with one full-time employee. This is nowhere near enough resources to properly sustain such complex software, and ongoing reviews of the OpenSSL code show that it was becoming bloated and poorly maintained. The Heartbleed flaw didn't occur because OpenSSL is open source; it happened because the project didn't receive the support it needed.

In response to these revelations, the Linux Foundation has set up the Core Infrastructure Initiative (CII) to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The companies that have joined this initiative include Amazon Web Services, Cisco, Dell, Facebook, Google, IBM, Intel, Microsoft, NetApp and VMware. Each is pledging $100,000 a year for the next three years.

OpenSSL will be one of the first software projects to receive CII funding to provide compensation to developers who will work full time, conduct reviews and security audits, deploy test infrastructure and facilitate travel and face-to-face meetings among developers. While this funding will invariably help improve the OpenSSL code, remember that it will take time. Those using OpenSSL should bring their applications up to date whenever new versions are released.

Enterprises that need an actively supported cryptographic library have limited choices: Microsoft's Cryptography API: Next Generation (CNG) and GNU Crypto for Java are the only obvious options. Alternately, OpenBSD founder Theo de Raadt has started a fork of OpenSSL as a potential replacement; LibreSSL is supported financially by the OpenBSD Foundation and OpenBSD Project. However, it will only be offered for the OpenBSD operating system until the code and a stable commitment of further funding are in place.

The key lesson enterprises should learn from Heartbleed is that they can't rely on someone else's assurance that the software securing their key data is in fact secure. Security teams need to conduct their own risk assessment and test that the code or component is secure against the most common and pertinent threats their applications face. Bugs in software are a fact of life, so enterprises that make use of open source libraries should strongly consider contributing to the projects that maintain them. It is a lot cheaper than funding an in-house team of cryptographers or recovering from vulnerabilities such as Heartbleed.

Next Steps

Get help with open source code management

Learn how to safely deploy open source tools

This was last published in November 2014

Dig Deeper on Open source security tools and software

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization still use open source software? Why or why not?
Yes, we do - for some things, anyway. It really depends on what we're trying to accomplish - I'm fond of using open source software for basic tasks (since it tends to be either very affordable or entirely free), but we do have a policy of only using professional software for anything important.

Open source software just can't compare to the personalized service and support you get from a professional development team, and that makes a difference.
There is a robust set of Open Source applications today.  many of them have good apis that you can integrate and mashup to create your own high tech dashboard, which may be cheaper long term for your company, than say buying from a more expensive vendor.  Open source also means, that if a company goes under, we can always try to patch issues up ourselves.

I see a lot of value with open source software usage in the enterprise right now.