CyberEye

Blog archive
Massive OpenSSL audit hopes to squash Heartbleed-like bugs

Massive OpenSSL audit hopes to squash Heartbleed-like bugs

OpenSSL is back in the news again, almost a year after it first made a splash with the now infamous Heartbleed bug revelation. This time around, however, it looks like it could be a good thing.

Cryptography Services, a part of the Linux Foundation's Core Infrastructure Initiative (CII), is going to audit OpenSSL security. It's billed as an independent audit, even though the CII has been instrumental over the past year in trying to right the OpenSSL ship by providing some of the money to get the beleaguered open source software full time development help.

Heartbleed was a major shock to the cybersecurity ecosystem for several reasons: Not only is OpenSSL widely used in both public and private organizations' network and system security, the coding mistake that created it apparently went undetected for several years before it could be patched, and no one could say for certain how many systems had been affected or what data might have been compromised.

The crisis created by that bug fed into a concern about open source software overall, with other threats such as the Shellshock vulnerability in the Linux and Unix operating systems and a possible SQL injection attack on the popular Drupal content management system adding to the worries.

It’s not as if any of these major open source resources can easily be replaced. OpenSSL is reckoned to be used on up to two-thirds of existing web servers; Linux and Unix also drives many servers, and Drupal has become a reliable and flexible option for website operations, including those at the White House and other government agencies.

Open source software isn’t alone in having security holes, of course, as many users of Microsoft, Apple, Adobe, Java and other proprietary software know. But open source security is seen as suffering from the same resource that’s considered its strength, namely an army of volunteer developers. On the one hand that leads to innovation and fast turnaround of new features that users of open source crave but also to more opportunities for tampering and coding mistakes.

Admittedly, others think all those volunteer developers can also be a security strength, since it puts that many more eyeballs into reviewing code. However, the events of 2014 threw enough doubt onto the security of open source software that both industry and government have been moved to do something to improve it, from bills aimed at ensuring the software supply chain to proposals for controls on the use of third-party software components.

At first glance, the Cryptography Services  audit could be the most comprehensive and important of these efforts. According to the consultants that will be running it, the audit will cover a range of security concerns but will focus primarily on Transport Layer Security stacks and on protocol flow, state transitions and memory management. The audit may be the largest effort to date to review OpenSSL, the group said, and it’s “definitely the most public.” It will help to spot and fix bugs such as Heartbleed before they become the kind of problem they did last year.

Preliminary results of the audit could be out by the beginning of the summer, Cryptography Services  said.

It should be eagerly anticipated, as the revelation of Heartbleed, Shellshock and other bugs hasn’t necessarily brought better security. Months after the initial announcement of Heartbleed, around half of the 500,000 servers thought to be vulnerable from the bug had not been fixed. And the vulnerabilities keep on giving, with Cisco just one of the latest to say that its products had been affected.

Posted by Brian Robinson on Mar 13, 2015 at 11:43 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.