In the wake of the latest security meltdown, Heartbleed, the Linux Foundation, a non-profit consortium of industry titans, late last month formed the Core Infrastructure Initiative to support open source funding for some of the most critical and underfunded projects. The first target of this multimillion dollar endeavor is, quite understandably, OpenSSL. This action appears laudable, but it's been a long time coming for the OpenSSL Software Foundation (OSSF).
Consider the role OpenSSL plays. It's a core component that helps protect most Internet traffic. It's compiled into almost every software package implementing Secure Sockets Layer and Transport Layer Security -- both open source and commercial -- but the OSSF itself limps along on donations that average around $2,000 annually and any other funds it can secure from consulting and commercial support contracts.
Some believe the accidental error that created the Heartbleed vulnerability was sparked by a lack of funding and resources necessary for proper code review -- elements that are common in a mature software development process. While vendors are busy patting themselves on the back for coming to OpenSSL's rescue, this leaves the rest of us wondering why it took so long.
Heartbleed is the culmination in a recent trend of escalating exposures in encryption mechanisms, Web browsers and operating systems.
Heartbleed makes one yearn for those halcyon days before the constant barrage of software vulnerabilities, when open source projects were backed by heroes, forming the very foundation of the Internet. What happens to derail projects into security train wrecks? Is it the constant fights over code control or the inevitable siren song of a regular paycheck for developers? Heartbleed is the culmination in a recent trend of escalating exposures in encryption mechanisms, Web browsers and operating systems. But shouldn't OpenSSL have been different, given its importance?
The dirty little secret of open source is now revealed
Open source has been the industry's dirty little secret for a long time and now it's out for the world to see. Even in the days when proprietary hardware running Unix operating systems such as Solaris, AIX and HP-UX were the norm, open source application software still dominated. Sendmail, Apache, Internet Systems Consortium's (ISC) BIND and DHCP; let's not forget the important part open source played in the development of Microsoft and Apple. Would we have Active Directory without OpenLDAP or OS X without FreeBSD?
In the early days of the Internet, people were just happy that the software worked and it was a playground for early development projects like Linux. Eric Allman, Paul Vixie and Linus Torvalds ruled this world like Robin Hoods, stealing from the big guys and giving to the rest of us. Commercial vendors have incorporated so much open source into their own applications that you'd be hard pressed to find a threat and vulnerability management system that doesn't use Nmap or an IP address management system that doesn't use ISC's DHCP. It's increasingly hard to tell where open source ends and commercial software begins.
These early developers didn't write software to get rich. Gerald Combs wrote Ethereal, now Wireshark, to solve a problem. He worked at a small ISP and needed a packet analyzer that would run on Unix-based platforms. He wasn't thinking about patents or selling it to someone to make a bundle of cash. Maybe that's become the problem in IT -- solving a problem has become secondary to having the next big IPO.
Heartbleed changes landscape in a fundamental way
How does Heartbleed change the landscape? This vulnerability has been devastating to the security community, with companies spending millions of dollars as they scramble to mitigate the issue. In place for two years before it was even disclosed, it will take months to know the full impact of this bug. But the real question to ask is if it's fair for the industry to continue its current relationship with open source, as if Heartbleed isn't the symptom of a much bigger issue. When an open source software project becomes ubiquitous and essential to doing business, it deserves better than begging for scraps from the IT industry. And it's pretty shameful that it took something as traumatic as Heartbleed to make that point.