Your Internet security relies on a few volunteers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.kcci.com/project-economy/Your-Internet-security-relies-on-a-few-volunteers/25546584

Last week's Heartbleed Internet bug revealed a startling fact. The software
protecting banks, email, social media and government is maintained by only
a few people.

They're all volunteers. And only one does it as a full-time job.

Their labor of love is OpenSSL, a free program that secures a lot of online
communication. And it was a tiny coding slip-up two years ago that caused
the Heartbleed bug, a hole that allows attackers to peer into computers.
The bug forced emergency changes last week at major websites like Facebook,
Google and Yahoo.

But security experts say OpenSSL is severely underfunded, understaffed and
largely ignored.

The bug wasn't caught until recently, because the OpenSSL Software
Foundation doesn't have the resources to properly check every change to the
software, which is now nearly half a million lines of code long. And yet
that program guards a vast portion of our commerce and government --
including weapon systems and smartphones, the foundation claims.

"The mystery is not that a few overworked volunteers missed this bug; the
mystery is why it hasn't happened more often," Steve Marquess, the
foundation's president, said in an open letter.

When weighed against its critical importance to Internet security, OpenSSL
has a shoestring budget. It has never received more than $1 million a year,
Marquess said. The only federal support listed online was a single $20,000
renewal contract from the Department of Defense.

While the foundation receives money from the Department of Homeland
Security, Citrix and others, the vast majority of its funding is from
specific work-for-hire contracts. A company wants a certain feature added
here, a specific function there. It keeps developers busy. But Marquess
said there's no money going toward reviewing the code or performing audits.

In fact, the only person working on this full-time is Stephen Henson, an
extremely private mathematician living in England who referred to Marquess
for comment. Only a handful of other developers pitch in with any
consistency, and Marquess told CNN their total labor amounts to maybe two
full-time workers.

Even in the aftermath of Heartbleed, the foundation has received only
$9,000 -- sparking Marquess to publicly call out companies that use OpenSSL
for free.

"I'm looking at you, Fortune 1000 companies," he wrote.

In the wake of Heartbleed, this lack of funding for OpenSSL may prove a
wake-up call.

Startups and major corporations frequently use open-source software because
it's freely distributed and costs nothing. But they rarely contribute back
in dollars or donated time. Without significant outside help -- donating
dedicated staff and money without strings attached -- open-source projects
like this are at risk of fizzling out or blowing up in our faces, said
Azorian Cyber Security founder Charles Tendell.

"If you bought your car and knew it was put together by volunteers, how
would you feel about that?" Tendell asked.

A select few firms provide some help. Facebook and Microsoft sponsor bug
bounties via the HackerOne program -- essentially paying hackers to find
mistakes that need fixing. And it was a Google security researcher, Neel
Mehta, who discovered the Heartbleed bug.

Others are convinced it's time to chip in. The initial response by Marc
Gaffan, cofounder of cloud-security provider Incapsula, was: "What do you
expect? You got this for free. You get what you pay for." But it turns out
his company relies on OpenSSL too. When asked if he would lead by example,
Gaffan promised his firm would make its first donation.

This recent scare has gotten the White House's attention. The Obama
administration is now "taking a hard look at widely used tools such as
OpenSSL to see if there is more that the federal government needs to do --
including supporting research and development," said National Security
Council spokeswoman Laura Lucas Magnuson.

There's a catch, however. The government can only get so close without
triggering fears that it's actually undermining the security of online
communications, especially after Edward Snowden's disclosures about the
National Security Agency's extensive surveillance programs. Former NSA
crypto engineer Randy Sabett, now a tech privacy attorney at the Cooley law
firm, expects the open-source community will be apprehensive.

"The public does not want the government involved in the design of the
commercial Internet," he said. "They don't want back doors put in."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!