Here's why it took 2 years for anyone to notice the Heartbleed bug

[InfoSec News <alerts () infosecnews org>]

http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security

By Timothy B. Lee
Vox.com
April 12, 2014

What caused the Heartbleed Bug that endangered the privacy of millions of 
web users this week? On one level, it looks like a simple case of human 
error. A software developer from Germany contributed code to the popular 
OpenSSL software that made a basic, but easy-to-overlook mistake. The 
OpenSSL developer who approved the change didn't notice the issue either, 
and (if the NSA is telling the truth) neither did anyone else for more 
than 2 years.

It's hard to blame those guys. OpenSSL is an open source project. As the 
Wall Street Journal describes it, the project is "managed by four core 
European programmers, only one of whom counts it as his full-time job." 
The OpenSSL Foundation had a budget of less than $1 million in 2013.

That's shocking. Software like OpenSSL increasingly serves as the 
foundation of the American economy. Cleaning up the mess from the 
Heartbleed bug will cost millions of dollars in the United States alone. 
In a society that spends billions of dollars developing software, we 
should be spending more trying to keep it secure. If we don't do something 
about that, we're doomed to see problems like Heartbleed crop up over and 
over again.


Why security flaws are different from other bugs

Computer security is a classic collective action problem. We all benefit 
from efforts to improve software security, but most organizations don't 
make it a priority. For most of us, it's economically rational to 
free-ride on others' computer security efforts.

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/