When German programmer Robin Seggelmann claimed that he was “responsible for the error” that led to the flawed OpenSSL code – now better known as Heartbleed – it was a brave move, as the IT industry sneered at the “simple” mistake that had led to widespread condemnation.
But it was what Seggelmann said next that signalled where the real error occurred.
“I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version,” he told The Guardian newspaper.
The mantra of the open source community is that “no bug is too obscure or difficult for a million eyes” – so how did all of them miss this?
Seggelmann defended the use of open-source development claiming that the mistake highlights the need for more people to help out on such projects.
“It has been said that 90 per cent of websites are using this code but very few are contributing,” Peter Pizzutillo, director of product marketing at software quality analysis firm CAST, explained.
“The open source communities aren’t as deep and robust as they should be, there are pockets of passionate developers out there so it is hard to fault them, there is no open testing community so the model only works if the takers are giving back on the code,” he said.
And by takers, he means some of the biggest companies that are using the OpenSSL code for their own benefit – the likes of Google, Cisco, BlackBerry and Juniper Networks, for example.
The president of not-for-profit information security assurance organisation CREST, Ian Glover, told Computing that the blame lies with these big firms, and the initial developers for a lack of testing.
“I don’t care if it’s ‘shrink-wrapped’ or open source; firstly, it should have been developed correctly, and then tested by the organisation that uses it, even if it is of low value to them. If it is critical to the business then that needs even more stringent testing,” he said.
The OpenSSL Software Foundation, which funds development of OpenSSL, is underfunded, while the project itself is volunteer-run, according to Roland Dobbins, an analyst at security firm Arbor Networks, who believes it is “in desperate need of major sponsorship and attendant allocation of resources”.
The funding, Pizzutillo suggested, should come from firms like Google, and the government.
“The likes of Google should be contributing their share; they have a lot of commercial users, the majority of which are going to pay a penalty for it if their personal details are absorbed by those who exploit the flaw,” he said.
Yahoo’s servers, for example, could have been exploited for usernames, passwords, and other sensitive information, before the web giant fixed the bug across all of its properties. Some of the funding from organisations that use the OpenSSL code could cover a dedicated team of hackers to ensure that vulnerabilities like Heartbleed are found before they appear in the wild.
Pizzutillo suggested that organisations only take action in response to publicised issues and that clients only become proactive when compliance becomes a driver instead of risk.
But while open source code has to go through a certification process to be used by the US government, among other organisations, and third party certification for coding is emerging, CREST’s Glover encouraged firms to run their own websites from a coding perspective.
“It’s going to take retrospective action on websites for a long time because of bad code that’s been there for many years that shouldn’t have been there in the first place, and that’s just dreadful,” he said.
Glover said that organisations that run their own code on their websites – or at least test the code they use stringently enough – will be able to get more threat intelligence, which will serve them well in the long term.
CREST has worked alongside CESG (Communications Electronics Security Group, the UK’s information assurance body) for the government’s Cyber Essentials scheme, which attempts to give an independent assessment of the essential security controls that organisations should have in place to have a level of confidence that they are mitigating risks and web threats.
Despite this element of certification, Glover warned against the idea of setting up certification for organisations that are meeting coding standards.
“Just because you pass your driving test, doesn’t mean that you’re a good driver,” he said.
The ease of receiving the certification concerns Glover, but of more immediate concern to the industry will be whether Heartbleed has caught the attention of technology giants enough for them to put money back into the ecosystem.
In the video below, we hear from the firms behind ‘Blackphone’, a product designed to offer more secure mobile computing using the Android platform.