But thanks to the media frenzy, Heartbleed may have permanently discredited Eric Raymond's famous adage about open source quality: "Given enough eyeballs, all bugs are shallow." Most security professionals say the notion was always more aspirational than descriptive.
"I never liked the with many eyeballs' notion," says Joshua Corman, CTO at the firm Sonatype. "Just saying there are many eyeballs' doesn't mean that those eyeballs are motivated or qualified to look to find security vulnerabilities."
Open source's "many eyes" assurance served mostly to gloss over a weakness in the open source ecosystem, implying an atmosphere of constant vigilance where none existed, says Bill Weinberg, senior director of open source strategy at the firm Black Duck Software.
"With Shellshock, you didn't have many eyes," Weinberg says, referring to critical vulnerability that was found lurking in code for Bash in 2014. "That code was considered to be well vetted, but it turned out that it wasn't well curated, because everyone assumed it was well vetted."
While we might like to assume that the integrity of open source code is high, data from Sonatype suggests the opposite. An analysis by the company of open source components in its managed codebase found that known vulnerabilities in open source components were remediated only 41 percent of the time, Corman wrote in the Usenix journal ;login. For the issues that were fixed, the mean time to remediate them was a whopping 390 days.
But even talking about "open source" apart from commercial, proprietary software is misleading. While a line may have once separated open source and proprietary software projects, most modern applications are assemblages of third-party software components, many of them open source, Corman said.
Getting serious about code-level security
What's the proper response? For better or worse, the answer is largely cultural, says Katie Moussouris, chief policy officer at the firm HackerOne and a former senior security strategist at Microsoft. "We need to build a security mind-set. This is important to every software project — open source or not."
Moussouris' company provides a Web-based platform for coordinating vulnerability disclosures, including through bug bounty programs. She notes that HackerOne already sponsors bug bounties for a wide range of open source projects, including PHP, Ruby on Rails, Python, and OpenSSL, providing compensation for reports of vulnerabilities.
Open source projects need to take a more serious and systematic approach to security, she says: "You have to at least try to build security in."
Sonatype's Corman advocates a more rigorous solution: a supply chain akin to those used by manufacturers that delivers both high quality and accountability.
Using the analogy of a Ford manufacturing line, Corman notes that the company knows the provenance of each part that goes into its finished automobiles. Problems can be traced back to specific suppliers, facilities, and even production runs.
Sign up for CIO Asia eNewsletters.