The discovery of the Heartbleed security flaw shocked many cybersecurity experts. It is undoubtedly the most significant vulnerability ever revealed in a widely used open source software solution. The fact that these programs were used by so many companies for so long before the flaw was detected shook confidence in open source security in general.
However, according to most industry experts, Heartbleed was an outlier and does not suggest any inherent problems with open source security. Still, some, such as InformationWeek Executive Editor Srikanth RP, believe that this revelation should encourage organizations to refocus their efforts on security testing when utilizing open source solutions.
Srikanth noted that Heartbleed has generated a great deal of discussion as to whether open source security will actually prove sufficient for companies in the future. While many had previously predicted that open source will ultimately supplant all other forms of software development, including for cybersecurity programs, Heartbleed created fears that overlooked vulnerabilities may compromise security.
Yet studies suggest that open source solutions are actually more secure than proprietary offerings, the writer explained. He pointed to a recent Coverity report which found that open source projects typically feature a defect density of 0.59 per thousand lines of code. Proprietary solutions, on the other hand, have an average defect density of 0.72 per thousand lines. And as Srikanth noted, defect density is frequently used as a clear marker of software quality. This suggests that open source offerings generally have fewer potential security vulnerabilities than proprietary counterparts.
According to the writer, the message that company decision-makers should take away from all of this is that open source security is very achievable, but a renewed focus on testing is essential.
"The reality is that every open source project must be tested before being deployed – and it is the responsibility of developers, security experts and the dozens of big corporations that bundle in open source software with their software or hardware systems," Srikanth wrote.
This is especially true when firms rely upon open projects that lack sufficient volunteers. If a project, such as OpenSSL, doesn't have enough people to oversee it, the possibility of bugs being present skyrockets. With enough eyes on the project, these risks diminish.
In any event, companies can and should perform their own in-house testing of open source solutions before and during deployment, in order to ensure that these programs are sufficiently secure at all times.
The future of open source security
Going even further than Srikanth, industry expert Steven J. Vaughan-Nichols, writing for ZDNet, asserted that Heartbleed, while eye-opening, will not exert any real, lasting influence on the future of open source security. This strategy has already won the battle for prominence over proprietary options.
"Outside of Apple and Microsoft, everyone, and I mean pretty much everyone, has already decided that open source is how they'll develop and secure their software," Vaughan-Nicholas wrote. "Google, Facebook, Yahoo, Wikipedia, Twitter, Amazon, you know all of Alexa's top ten websites in the world, rely on open-source software every day of the year."
Vaughan-Nichols explained that Heartbleed occurred simply because the project was underfunded and users did not follow best practices, including those highlighted by Srikanth. When examined thoroughly by enough personnel, open source solutions become incredibly reliable and secure.
"Put it all together and the facts show that, when done right, open source is the best way not just to develop software but to create secure software," Vaughan-Nichols concluded. "It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded, that there exists the real possibility of a major security problem."
Now that Heartbleed has occurred, the likelihood that similar mistakes will be made again is extremely low.