• United States



Tech titan funding just a start in securing critical open-source projects

Apr 24, 20143 mins
Application SecurityManufacturing IndustryNetwork Security

Security experts say a formal, enterprise-class product development structure is also needed

Major tech companies’ funding commitments to support critical open-source projects is only the first step in preventing another industry-disrupting OpenSSL Heartbleed bug, security experts say.

The several millions of dollars expected to go into the Core Infrastructure Initiative announced Thursday needs to be spent on building processes for secure development and quality assurance, experts told CSOonline. Without a functioning organization in each project, flaws would continue to go unnoticed.

[How to defend against the OpenSSL Heartbleed flaw]

In the case of the OpenSSL Project, it had just one full-time employee and received only $2,000 a year in donations. This meager funding contributed to the bug going undetected for two years.

Successful open-source projects, such as those behind the Apache Web server or Linux operating system, have a leadership group responsible for secure development, Marc Hoit, vice chancellor for information technology at North Carolina State University, said.

“All open-source or community-based projects, or actually for that matter (commercial) projects, need not only funding, but also a champion to kind of steer them along,” Hoit said.

The roster behind the CII is impressive. It includes Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.

However, the amount of money that would go into the initiative was not announced nor how the effort would be organized. Ars Technica reported that the group committed to at least a three-year commitment and $3.9 million in funding.

Besides money, the tech companies will have to donate experts from their own staff to help drive development efforts and create testing and maintenance procedures.

Open source projects that had such commercial support flourished, Paul Henry, a senior instructor at the SANS Institute, said.

“Further, there has been significant funding for numerous open-source projects by the U.S. government,” he pointed out.

Examples of open-source software that have morphed into commercial products include Snort, a network intrusion prevention system now developed by Cisco-owned Sourefire.

ForgeRock has built a business around an open-source identity management stack. Chief Executive Mike Ellis said developing open-source software for the enterprise requires a “formal product development structure to be properly hardened and secure.”

“This involves architects, developers, quality assurance, sustaining engineers, and so on,” he said. “There needs to be a serious commitment to building a project structure and taking it from a hobby to a commercial grade product.”

Besides funding more secure development efforts, money from the CII could also be used for bug bounty programs, Wolfgang Kandek, chief technology officer for Qualys, said.

“I see bug bounties as a great mechanism to get talent interested in positive computer security,” he said.

The OpenSSL flaw was critical, because it compromised the wide variety of hardware and software that used the technology to secure communications between Web servers and PCS and mobile devices. All affected technology had to be patched or taken offline to avoid a potential breach.

[ urges password resets due to Heartbleed]

Given the damage caused by the OpenSSL flaw, there was no excuse for the industry’s lack of support before the bug was discovered, Joseph DeMesy, senior security analyst for consultancy Bishop Fox, said.

“It is reckless of the industry to so heavily depend upon these projects and not adequately support them financially or otherwise,” DeMesy said.