Where’s the Next Heartbleed Bug Lurking?
OpenSSL, which the Internet depends upon, has a single full-time employee dedicated to keeping the software secure. Other projects are similarly understaffed.
After causing widespread panic and changing of passwords, the Heartbleed bug has largely disappeared from the news. Yet the implications of the discovery are still being debated across the computer industry. The biggest concern for security experts is how to preëmpt other flaws lurking in the Internet’s foundations.
The Heartbleed bug was discovered earlier this month in a piece of software called OpenSSL that is widely used to establish a secure connection between Web browsers and servers by managing the cryptographic keys involved. OpenSSL is an “open source” project, meaning that the underlying code is published along with the software. Also, like many other open-source efforts, it is maintained by a small group of volunteer programmers (see “The Underfunded Project Keeping the Web Secure”).
The problem is being recognized by big software companies that rely on efforts like OpenSSL. Last week, the Linux Foundation, which provides support for the popular Linux operating system, launched an effort called the Core Infrastructure Initiative to support small open-source projects. Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell have so far committed more than $3 million to the effort. A steering committee will try to identify the open-source projects that most need financial support.
“The problem with open source is that you have the ‘free rider’ problem,” says Chris Wysopal, a well-known computer security expert and chief technology officer and cofounder of Veracode, an application-security assessment firm. “People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going.”
Even three weeks after the bug was discovered, some laggard businesses are still updating servers, installing new cryptographic certificates, and directing users to reset their passwords. More troubling for experts like Wysopal is that other foundational components of the Internet are, like OpenSSL, small open-source projects. And it can be difficult to tell which may lack the resources needed to rigorously check their code for security vulnerabilities.
Before the Heartbleed bug was discovered, few had heard of OpenSSL or the 11 developers who donate much of their time to the project. The OpenSSL Software Foundation, which handles the commercial contracting for the organization, employs just a single full-time developer. It received a grand total of $2,000 in donations last year, and it has never taken in more than $1 million in revenue for its consulting and support services.
“There should be at least a half dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” wrote Steve Marquess, the official fundraiser and business contact for the OpenSSL Software Foundation, in a blog post shortly after Heartbleed was disclosed. “If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please.”
Marc Maiffret, chief technology officer at Beyond Trust, a security software firm, says other open-source projects face a similar problem. “People assume that just because something is open source there is this magical effort that goes on to find bugs and make it secure. But it usually starts with a couple of people, perhaps it gets popular, and then ends … with a couple of people.”
Wysopal of Veracode says the key problem is that there is no way to gauge the importance of different pieces of Internet infrastructure: “If someone wanted to do widespread attacking of lots of sites, which components are widely used and on the front of the attack surface?”
The challenge of predicting where big vulnerabilities may emerge is compounded by the fact that Internet programmers increasingly build their code using a range of different tools. In a report released last year, a company called Aspect Security found that 26 percent of the libraries downloaded for use in applications had known vulnerabilities. “The problem is there are so many components that the software stack depends on,” says Jeff Williams, cofounder and CTO of Aspect. “The Internet is a haystack full of needles.”