The OpenSSL Heartbleed issue was a simple mistake with very large consequences. It shows just how vulnerable the world can be when there is a problem in foundational components, especially when those components have become de facto standards. By its very nature, open source software can get adoption at scales that commercial software can only dream of achieving. Standardization, usually considered the strength of open source foundational pieces, was shown to be its own weakness with Heartbleed. This was exacerbated by the fact that not many of us really pay too much attention to OpenSSL. For most of us, we just link to it or use a web server that links to it and it just comes along for a ride in our operating system layer. Keep up-to-date on OS patches and everything should be good, we hope.
So now that our base assumptions have been rocked, should we all rush to switch from our open platforms and run into the open arms of commercial vendors? Certainly not!
The road to security is paved with critical issues in both open source and commercial software. But open source still provides significant advantages, particularly for these types of foundational building blocks:
• A very large number of end users can find many more edge cases and contribute valuable information back to a project. It’s like having a huge QA budget.
• The code is open for all to see and scrutinize. One mistake found two years after the fact shouldn’t overshadow all the other instances where open code has allowed many other security improvements to be caught early.
Way back in 1999, security expert Bruce Schneier made the case for open source cryptography:
“Cryptography has been espousing open source ideals for decades, although we call it ‘using public algorithms and protocols.’ The idea is simple: cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.”
This is a point that still holds true today. Hiding the code only gives security by obscurity. This only works until issues are reverse engineered by a motivated party, probably for malicious purposes.
• Anyone can step up and contribute improvements to a project. Instead of a huge backlog of improvements and only five developers focused on what makes the most business sense, an OSS project can have hundreds of contributors only beholden to the people that use the software. They can get incremental improvements into the hands of the community much faster.
• Most importantly for me, the community owns up to the mistake, starting with the developer who put it in the code. Open source communities don’t hide the problems hoping to avoid costs and increase stockholder value. They are responsible to the users and the trust the users place in their products. And when problems are pointed out, they acknowledge, fix, and then learn from the mistakes.
One thing that Heartbleed teaches us, from the community to the end users, is that we cannot be complacent with such important pieces of our infrastructure. Several really smart people, and the rest of the world, missed a crucial mistake in OpenSSL. We need to learn to not take these communities for granted. We need to invest in these communities to make them even stronger, for we all benefit from their work a great deal.