The discovery of the Heartbleed OpenSSL security vulnerability in April seems like old news at this point, but its impact continues to reverberate. Countless firms have been affected by this revelation, and few have fully put the open source flaw behind them.
One organization that has been particularly strongly affected by Heartbleed is the U.S. government. As NextGov contributor Jason Thompson recently discussed, OpenSSL is an incredibly important resource for the federal government, but Heartbleed raises questions about the viability of this and other open source solutions. To continue to utilize these offerings, a renewed focus on open source security may be necessary.
Government IT issues
While the expansive degree to which OpenSSL is used by organizations around the world has been widely discussed, few have noted how important this solution is for the U.S. government in particular. Thompson pointed out that OpenSSL, created in 1981, was essential for the development of Internet-based government services.
OpenSSL remains critical for providing encryption for U.S. government IT to this day, making Heartbleed a serious security risk. Thompson reported that four hackers recently accepted a challenge from website security company Cloudflare and successfully managed to steal private Secure Shell security keys by exploiting Heartbleed. Considering the fact that Secure Shell protocol operates in the background of most government networks, encrypting connections, these hackers’ actions raise serious concerns.
Federal agencies regularly use identity and access management solutions to control authorization for cloud infrastructure use, along with access to applications, servers and data. And as Thompson pointed out, the IAM tools within Secure Shell implementations are at risk when hackers exploit Heartbleed. This is particularly problematic when it comes to machine-to-machine data transfers and other non-human identity management, he explained.
Open source implications
However, despite all of these issues, Thompson maintained that open source solutions can still remain an invaluable resource for government agencies. The discovery of the Heartbleed vulnerability should not dissuade agencies from leveraging this technology, but rather cause departments to reconsider their approach to open source tools.
These issues should encourage “technology leaders to take another look at the critical but oft-forgotten infrastructure their agencies are riding on, especially when it is something as ubiquitous and critical as encryption technologies like SSL or Secure Shell,” Thompson explained.
In particular, the writer emphasized the need for agency decision-makers to consider who creates keys within the agency, who monitors open source technology and who delivers support for open source tools, along with a variety of related IT issues.
Open source tools
This may also be the ideal time for agency leaders to consider whether their current open source tools are sufficient for an evolving IT realm. As Thompson explained, no software is safe from the threat of external attackers – sooner or later, someone is bound to discover a vulnerability. The best that organizations, including the federal government, can do to protect themselves is to invest in the best tools and strategies to defend against these risks.
For example, agencies should make sure that they have high-quality scanning solutions in place. These tools should be specifically designed to work with open source software code, identifying where this code is in use. Without such resources in hand, IT personnel cannot effectively identify where open source is in operation within the department, and therefore cannot ensure that open source best practices are being followed.
Additionally, agencies should implement governance and provisioning solutions to guarantee compliance and protect open source usage against security and functional risks. Only with such tools in place can the U.S. government continue to leverage open source resources for maximum utility.