Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Is open source to blame for the Heartbleed bug?

Tony Bradley | April 10, 2014
By now you've likely heard about the Heartbleed bug, a critical vulnerability that exposes potentially millions of passwords to attack and undermines the very security of the Internet. Because the flaw exists in OpenSSL--which is an open source implementation of SSL encryption--many will question whether the nature of open source development is in some way at fault. I touched based with security experts to get their thoughts.

By now you've likely heard about the Heartbleed bug, a critical vulnerability that exposes potentially millions of passwords to attack and undermines the very security of the Internet. Because the flaw exists in OpenSSL — which is an open source implementation of SSL encryption — many will question whether the nature of open source development is in some way at fault. I touched based with security experts to get their thoughts. 

Closed vs. Open Source

First, let's explain the distinction between closed source and open source. Source refers to the source code of a program — the actual text commands that make the application do whatever it does.

Closed source applications don't share the source code with the general public. It is unique, proprietary code created and maintained by internal developers. Commercial, off-the-shelf software like Microsoft Office and Adobe Photoshop are examples of closed source.

Open source, on the other hand, refers to software where the source code is available to the public. Open source projects are generally collaborative efforts because any developer is free to review the code, edit or enhance it, or add features. Popular examples of open source software include Linux, the Apache Web server, and OpenSSL.

Open source (in)security

When anyone is free to view the source code, and any developer can submit changes to the open source project, there are potential security concerns. Without properly vetting the developers, there is no way to know what — if any — secure development practices are being used, and the possibility exists for a malicious developer to intentionally introduce a vulnerability like Heartbleed for the express purpose of exposing the software to attack.

Does that mean that open source tools are inherently insecure, or less secure, than their closed source cousins?

"An argument could be made that the collaborative nature of open source software development compounds the challenge of ensuring security is considered throughout the software life cycle," David Shearer, CISSP, PMP, and Chief Operating Officer of (ISC)2, said in a statement sent to PCWorld.

The security implications of what should be a simple diagnostic capability in OpenSSL is a prime example. According to Shearer, "One could go as far as to say that we may be heading toward a time where some of the key security architecture components that are available as open source software may need to be more closely managed and monitored."

But while it's true that there are some security concerns unique to the collaborative nature of open source and to having the source code open to the general public, there are also ways that open source strengthens security. 

"The advantage to open source is that it is so transparent that we can detect and fix quickly," TK Keanini, CTO of Lancope says. 

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.