The discovery of the Heartbleed vulnerability in some versions of OpenSSL cryptographic library in April 2014 has had a positive effect, says Rapid7.
“If having a huge bug with slick branding is what it took to get powerful attention on OpenSSL, I wish it had happened way sooner,” said Tod Beardsley, security engineering manager at Rapid7.
The effect of Heartbleed has been “hugely positive”, he told Computer Weekly on the side-lines of the DEF CON 23 hacker conference in Las Vegas.
Since the discovery of the Heartbleed flaw, Beardsley – who works on the Metasploit open source software framework in Rapid7 – said there have been at least two major forks off of OpenSSL.
Google has released its own OpenSSL fork called BoringSSL, while OpenBSD has done the same with LibreSSL.
“I love forking. It used to be regarded as dirty thing to do to software because nobody knows what is the ‘real one’, but the ‘real one’ is whatever people are using,” said Beardsley.
He sees the OpenSSL forks as being one of the positive consequences of the attention that the discovery of the Heartbleed flaw has drawn to open-source security.
“Imagine if de factor OpenSSL library was proprietary, then only one person or only one team of software developers could actually look at it and work on it, which would have been even more disastrous,” said Beardsley.
“Banks were not affected by Heartbleed because they do not use OpenSSL. However, they do use their own proprietary encryption systems – and who knows what bugs they may have?
“The banks themselves may know, but they may not. It is hard to say. It is much harder to get at the root of these things if people are not looking at the source code,” he said.
Beardsley recognises Heartbleed was a disaster and people in the open-source community should have been looking at the code.
“But I am happy with the way things have developed. We now have more people looking at the code,” he said, which has resulted in the discovery of more vulnerabilties in OpenSSL.
In the wake of the Heartbleed discovery, critics of open source were quick to say the discovery of the bug two years after it was introduced is proof that the model is broken.
The premise of open-source development is that it will produce high-quality and highly secure software because of the large number of people reviewing the code and working to improve it.
Ironically, an open-source developer inadvertently introduced the coding error responsible for Heartbleed during one of these review cycles in December 2011.
But, according to Beardsley, the knock-on effect of Heartbleed to other open-source security projects has been minimal – either positively or negatively – because of the siloed nature of open source.
Apart from technology firms such as Microsoft, Google and Facebook setting up a multi-million dollar project to fund open source projects critical to core computing, there has been little fresh investment.
“Perhaps is will take more big, flashy bugs such as Heartbleed that really hurt to drive investment in other open-source security projects,” said Beardsley.
However, Heartbleed has helped to raise enterprise awareness that open-source projects need to be well resourced to work, as they should ensure the code has as few vulnerabilities as possible.
“Enterprises should be aware of what support there is for open-source software they plan to use because – if it is an obscure project – there may not be a lot of eyes looking at the code,” said Beardsley.
For this reason, Rapid7, which acquired the Metasploit open-source framework in 2009, also contributes to other open-source projects it relies on, such as LibreSSL.
Beardsley said while the discovery of Heartleed has not necessarily made enterprises less likely to use open-source software, they are more likely to ensure they have better visibility of what is going on the software and more likely to contribute to the open-source project.
However, enterprise contribution to open source is not as common as it should be, he said. “Rapid7 encourages me to work on open source a lot, but I am in a fairly unusual position and I wish I were a little less unusual because that is a way of ensuring more eyes on the code.”
There were fears, said Beardsley, that when Rapid7 acquired Metasploit it would become “corporate” and there would be a paid-for version that had all the functionality.
“But Rapid7 hasn’t done that. Metasploit open source has been an underpinning of the entire product line because it gives us insight into where all the researchers go – and they only care about what is actually out in the world.
“We don’t deal with the cyber terrorist because that person hasn’t really showed up yet. We deal with cyber criminals. We deal with what is actually on the wire – the real, malicious stuff. We try to model real attacks,” he said.
While Metaploit is an important source of intelligence for Rapid7, Beardley said the company gives back to the security community by making the framework easier to use.
Because it is open source, many of the contributors to Metaploit come from what he describes as a “carousel” of volunteers, as well as a fairly stable core group.
“We have about 200 contributors in any given year, but only 20 to 30 could be described as multi-year contributors that make up the core 10%,” said Beardsley.
He claims to have contact with most contributors, but because around 90% of these are changing from year to year, it keeps his work with Metasploit fresh and interesting.