Massive OpenSSL audit hopes to squash Heartbleed-like bugs
OpenSSL is back in the news again, almost a year after it first made a splash with the now infamous Heartbleed bug revelation. This time around, however, it looks like it could be a good thing.
Cryptography Services, a part of the Linux Foundation's Core Infrastructure Initiative (CII), is going to audit OpenSSL security. It's billed as an independent audit, even though the CII has been instrumental over the past year in trying to right the OpenSSL ship by providing some of the money to get the beleaguered open source software full time development help.
Heartbleed was a major shock to the cybersecurity ecosystem for several reasons: Not only is OpenSSL widely used in both public and private organizations' network and system security, the coding mistake that created it apparently went undetected for several years before it could be patched, and no one could say for certain how many systems had been affected or what data might have been compromised.
The crisis created by that bug fed into a concern about open source software overall, with other threats such as the Shellshock vulnerability in the Linux and Unix operating systems and a possible SQL injection attack on the popular Drupal content management system adding to the worries.
It’s not as if any of these major open source resources can easily be replaced. OpenSSL is reckoned to be used on up to two-thirds of existing web servers; Linux and Unix also drives many servers, and Drupal has become a reliable and flexible option for website operations, including those at the White House and other government agencies.
Open source software isn’t alone in having security holes, of course, as many users of Microsoft, Apple, Adobe, Java and other proprietary software know. But open source security is seen as suffering from the same resource that’s considered its strength, namely an army of volunteer developers. On the one hand that leads to innovation and fast turnaround of new features that users of open source crave but also to more opportunities for tampering and coding mistakes.
Admittedly, others think all those volunteer developers can also be a security strength, since it puts that many more eyeballs into reviewing code. However, the events of 2014 threw enough doubt onto the security of open source software that both industry and government have been moved to do something to improve it, from bills aimed at ensuring the software supply chain to proposals for controls on the use of third-party software components.
At first glance, the Cryptography Services audit could be the most comprehensive and important of these efforts. According to the consultants that will be running it, the audit will cover a range of security concerns but will focus primarily on Transport Layer Security stacks and on protocol flow, state transitions and memory management. The audit may be the largest effort to date to review OpenSSL, the group said, and it’s “definitely the most public.” It will help to spot and fix bugs such as Heartbleed before they become the kind of problem they did last year.
Preliminary results of the audit could be out by the beginning of the summer, Cryptography Services said.
It should be eagerly anticipated, as the revelation of Heartbleed, Shellshock and other bugs hasn’t necessarily brought better security. Months after the initial announcement of Heartbleed, around half of the 500,000 servers thought to be vulnerable from the bug had not been fixed. And the vulnerabilities keep on giving, with Cisco just one of the latest to say that its products had been affected.
Posted by Brian Robinson on Mar 13, 2015 at 11:43 AM