Securing Open Source Post-Heartbleed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/securing-open-source-post-heartbleed-a-6791

With the news that several large technology companies are going to assist
in funding critical open source projects such as OpenSSL following the
Heartbleed exploit, security experts say the move can make a difference in
ensuring better security.

The Linux Foundation, a non-profit consortium dedicated to fostering the
growth of Linux and collaborative software development, this week announced
the creation of the Core Infrastructure Initiative.

In an April 24 press release announcing the project, The Linux Foundation
says the initiative will enable technology companies to collaboratively
identify and fund open-source projects that are in need of assistance,
while allowing the developers to continue their work under the community
norms that have made open source so successful.

"The Core Infrastructure Initiative is a multi-million dollar project
organized by The Linux Foundation to fund open source projects that are in
the critical path for core computing and Internet functions," the
foundation says in a statement. "Galvanized by the Heartbleed OpenSSL
crisis, the initiative's funds will be administered by The Linux Foundation
and a steering group comprised of backers of the project as well as key
open source developers and other industry stakeholders."

The first project under consideration to receive funds from the initiative
will be OpenSSL, which the foundation says could receive fellowship funding
for key developers as well as other resources to assist the project in
improving its security, enabling outside reviews and improving
responsiveness to patch requests.

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides
communication security and privacy over the Internet for applications such
as Web, e-mail, instant messaging and some virtual private networks (see:
Heartbleed Bug: What You Need to Know).

Founding backers of the initiative include Amazon Web Services, Cisco,
Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace,
VMware and The Linux Foundation.

"If those involved actually dedicate time to addressing the issues, it will
[make a difference]," says information security and privacy specialist
Rebecca Herold. "Currently we are depending upon an assumption that the
general population of IT folks will diligently inspect and vet open source
code on an ongoing basis."

Herold continues: "The fact that it took two years to find the Heartbleed
code error demonstrates the dangerous flaw in this assumption."

Heartbleed: The 'Bellwether Call'

Security analysts generally support this new initiative as a positive step
forward for securing open source projects.

Heartbleed is the "bellwether call," Herold says, that was needed to change
how open source is managed and vetted, "especially when open source code
such as OpenSSL is depended upon to be the strong and dependable security
tool used by millions of sites and devices.

"It's really pretty crazy, given our dependence on information security
open source code, that this type of project has not been done before now,"
she says.

Avivah Litan, analyst at Gartner Research, says that because open source
code has generally been more secure than proprietary code, organizations
have gotten away with not funding these initiatives. "But the world's
gotten a lot more complicated, systems are more complicated, and a system
like OpenSSL is embedded everywhere and it's become a critical piece of
infrastructure that we can't afford to be vulnerable," she says.

Alan Brill, senior managing director at security advisory firm Kroll
Solutions, is hopeful this initiative will make a real difference to
improving open source projects. "Open source code can be of immense value,
but there is a need for a transparent review function, so that part of the
process is a review," he says. "Clearly, there will need to be careful
contractual wording to define responsibility and liability where volunteer
reviewers don't see a problem that turns out to be serious."

Funding Open Source

Steve Marquess, co-founder and president of the OpenSSL Software
Foundation, recently posted an open letter detailing the financial burdens
impacting his organization.

"OSF typically receives about $2,000 a year in outright donations," he
says. With news of Heartbleed and reports of the amount of funding OSF
receives, recent support has netted the foundation close to $9,000.

"Even if those donations continue to arrive at the same rate indefinitely
(they won't), and even though every penny of those funds goes directly to
OpenSSL team members, it is nowhere near enough to properly sustain the
manpower levels needed to support such a complex and critical software
product," Marquess says.

"While OpenSSL does 'belong to the people,' it is neither realistic nor
appropriate to expect that a few hundred, or even a few thousand,
individuals provide all the financial support," he says. "The ones who
should be contributing real resources are the commercial companies and
governments who use OpenSSL extensively and take it for granted."

The Linux Foundation references the lack of funding OpenSSL receives. "As
this shared code has become ever more critical to society and more complex
to build and maintain, there are certain projects that have not received
the level of support to commensurate with their importance," the foundation
says. "The Core Infrastructure Initiative will change funding requests from
reactive post-crisis asks of today [like Heartbleed] to proactive reviews
identifying the needs of the most important projects."

Preventing Future Heartbleeds

Even with the additional funding that will start going to critical open
source projects such as OpenSSL, experts warn another "Heartbleed-type"
incident could occur.

"It's certainly possible," Brill says. "For every organization, issues
arise, whether from a flaw in open source code or issues relating to
proprietary systems, database security or any of a wide range of problems."

The key, he says, is for organizations to recognize the risks and to have a
plan to deal with them. "These [plans] should be tested regularly so that
when a real issue [like Heartbleed] occurs, the organization can execute
the plan and get through the issue with minimum disruption."

The chance of another major security incident is even greater when complex
systems and networks are involved, Herold says. "However, with more
structured, consistent and thorough oversight and review, that hopefully
this project will bring, the risks should be significantly lessened," she
says. "The risk of another Heartbleed should be very, very low with an
established and effective oversight process in place that this project will
reportedly bring."

Heartbleed Updates

Also in response to Heartbleed, the Office of the Comptroller of the
Currency on April 25 issued an updated statement on the vulnerability,
referring to an April 10 notice from the Federal Financial institutions
Examination Council on expectations for financial institutions regarding
patching systems and services, applications and appliances using OpenSSL
(see: Heartbleed: Gov. Agencies Respond).

"Since the FFIEC alert, additional information regarding the OpenSSL
vulnerability has emerged, indicating that it may affect a range of
technologies including, but not limited to, internally and externally
facing servers, network devices, printers, applications and mobile
devices," the OCC says.

"Given the evolving information about the scope and nature of this
vulnerability, banks should remain vigilant and continue their ongoing risk
assessments and monitoring to detect and prevent against unauthorized
access to customer information," the agency says.

The OCC recommends banks ensure third-party vendors take appropriate risk
mitigation steps and then monitor the status of the vendors' efforts. The
OCC recommends resources including OCC Bulletin 2013-29, "Third-Party
Relationships: Risk Management Guidance," as well as controls outlined by
the Financial Services Information Sharing and Analysis Center to assess
the security process maturity of vendors, among other things.

Breach detection firm Mandiant also announced that an attacker posing as an
authorized user tunneled into the computer system of an unidentified major
corporation, exploiting the vulnerability in the OpenSSL protocol (see:
Mandiant: Heartbleed Leads to Attack).

The April 18 announcement from Mandiant follows reports of at least two
other breaches tied to Heartbleed. Canadian authorities arrested a teenager
for his alleged role in exploiting the vulnerability to steal data from the
Canada Revenue Agency website. And in the UK, the websiteMumsnet forced all
of its users to change their passwords after it discovered that a
cyber-attacker had taken advantage of the Heartbleed bug to access data
from users' accounts.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!