Everyone’s very much aware of Heartbleed. We’ve seen vendor responses, read the analysis, used the tools, and even eaten the cake. But now that the excitement has died down and many impacted devices have been patched, what’s happening next to prevent this sort of issue from ever happening again?
The team over at OpenBSD has taken the problem of OpenSSL’s rat’s nest of code into their own hands to do a cleanup and hopefully reduce the likelihood of another “hidden gem”from showing up anytime soon. The OpenBSD team has always been focused and passionate about providing their users the strongest security possible through taking bold action when they find a given technology isn’t reaching their expectations. With that desire in mind, they’ve decided to take drastic measures to “fix”OpenSSL in a manner that will help ensure another Heartbleed isn’t laying dormant.
One downside to their approach is that they are effectively scoping this cleanup to OpenBSD only with no announcement of a “portable”version (like how they do OpenSSH) currently. While it’s certainly possible this could still occur, it may not be the path for the general technology community to go down as platforms needing support might not be included. Still, this sort of “we’ll help ourselves”attitude is one reason OpenBSD has always been so successful with their projects. It’s a great step to see, if for nobody else, the existing and future users of this great operating system.
To the needs of the non-OpenBSD masses, the folks at Bugcrowd have swung for the fences by facilitating a $250,000 crowd-funding effort to have OpenSSL properly audited. Much like their standard operating model, Bugcrowd will use this fund to incentivize researchers to hunt for bugs more proactively in the codebase. Any remaining funds would then be provided directly to the OpenSSL Software Foundation. The Bugcrowd team is often looking for ways to rally the community around beneficial processes like this, so hopefully you’ll consider donating some of your money (or, perhaps research time).
Lastly, we have the most direct appeal, straight from the OpenSSL Software Foundation. Steve Marquess wrote a rather thoughtful and lengthy post about the need for financial support of the project. More than that, though, he did an admirable job of explaining the reality of maintaining an open-source project that I feel gives a much needed perspective into a world most people using said software has no clue about. While his post certainly won’t get the media attention it deserves versus the hundred stories about how Heartbleed was a bad thing, it will likely be a great reference point for years to come as to the rationale of the open-source community.
Will another Heartbleed-like event happen? Probably. But we have to weigh the realities of the amount of software we rely-on against the number of these horrific scenarios we endure. While vulnerabilities often pop up, we rarely see the kind of easy-to-exploit confidentiality nightmare that was Heartbleed and perhaps for that, we should be more thankful than annoyed.
While it would be great to say that “this will change everything”it will only likely help expedite those who already care to maybe squash a couple more bugs. Think about donating a few dollars to whichever of the above endeavors you most believe in and we can all hope to wake up tomorrow without seeing the terrifying sentence, “A major vulnerability was found today in…”again.
Mark Stanislav | Duo Security | @markstanislav
Bio: Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, start-up, and corporate environments, primarily focused on Linux architecture, information security, and web application development.
Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.