News

Heartbleed prompts tech firms to pledge open-source support

Warwick Ashford

Technology industry heavyweights have joined forces to fund open-source software development projects, such as OpenSSL, to help prevent future bugs like Heartbleed.

The Heartbleed security bug affecting networking equipment and hundreds of thousands of websites was caused by a coding error in OpenSSL software widely used for encryption.

140411_0409.jpg

The flaw made the headlines after researchers revealed it could be exploited to steal passwords, credit card details, encryption keys and other sensitive data, without leaving a trace.

Critics of open source have been quick to say that the discovery of the bug, only two years after it was introduced, is proof that the model is broken.  

The premise of open-source development is that it will produce high-quality and highly secure software because of the large number of people reviewing the code and working to improve it.

Ironically, an open-source developer inadvertently introduced the coding error responsible for Heartbleed during one of these review cycles in December 2011.

Supporters have said the discovery Heartbleed shows that bad consequences can arise when the scale of open-source software use outweighs the resources of the community that creates it.

This realisation has prompted Steve Marquess, co-founder and president of the OpenSSL Software Foundation, to appeal for financial support from those that use OpenSSL extensively.

“While OpenSSL does ‘belong to the people’ it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support,” he wrote in a blog post.

Before Heartbleed, the OpenSSL project attracted around $2,000 a year in donations, but that was a fraction of what was required to support such a complex and critical software product, said Marquess.

Inspired by the Heartbleed OpenSSL crisis, technology firms such as Microsoft, Google and Facebook have set up a multi-million dollar project to fund open source projects critical to core computing.

The Core Infrastructure Initiative’s funds will be administered by the Linux Foundation and a steering group that includes backers of the project, key open-source developers, and industry stakeholders.

The group’s founders say that by raising funds at a neutral organisation, such as the Linux Foundation, the industry can give projects the support they need while ensuring they retain independence.

The initiative has attracted a wide range of supporters, including software firms, internet companies, cloud computing service providers, networking firms, and chip and hardware manufacturers.

Besides Microsoft, Facebook and Google, these include Amazon Web Services, Cisco, Dell, Fujitsu, IBM, Intel, Qualcomm, NetApp, RackSpace and VMware.

The founders of the initiative have pledged to donate $300,000 each to the fund, according to Reuters.

Although the initial focus of the group will be OpenSSL, the Core Infrastructure Initiative (CII) aims to identify and fund other crucial open source projects.

The funding will ensure support from key developers and provide other resources to improve code quality, security, review processes and respond to requests for code updates.

Microsoft said although its customers were not affected by the Heartbleed bug, security is an industry-wide issue requiring industry-wide collaboration.

“That is why we look forward to working with others in the CII, discussing our respective learnings, and sharing resources and tools, such as the Security Development Lifecycle (SDL),to drive further developments, both in the standards space, and in the security development work across the industry,” Steve Lipner, partner director of software security at Microsoft wrote in a blog post.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy