Where’s the Next Heartbleed Bug Lurking?

[InfoSec News <alerts () infosecnews org>]

http://www.technologyreview.com/news/527016/wheres-the-next-heartbleed-bug-lurking/

By Robert Lemos
MIT Technology Review
April 29, 2014

After causing widespread panic and changing of passwords, the Heartbleed 
bug has largely disappeared from the news. Yet the implications of the 
discovery are still being debated across the computer industry. The 
biggest concern for security experts is how to preëmpt other flaws lurking 
in the Internet’s foundations.

The Heartbleed bug was discovered earlier this month in a piece of 
software called OpenSSL that is widely used to establish a secure 
connection between Web browsers and servers by managing the cryptographic 
keys involved. OpenSSL is an “open source” project, meaning that the 
underlying code is published along with the software. Also, like many 
other open-source efforts, it is maintained by a small group of volunteer 
programmers (see “The Underfunded Project Keeping the Web Secure”).

The problem is being recognized by big software companies that rely on 
efforts like OpenSSL. Last week, the Linux Foundation, which provides 
support for the popular Linux operating system, launched an effort called 
the Core Infrastructure Initiative to support small open-source projects. 
Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell 
have so far committed more than $3 million to the effort. A steering 
committee will try to identify the open-source projects that most need 
financial support.

“The problem with open source is that you have the ‘free rider’ problem,” 
says Chris Wysopal, a well-known computer security expert and chief 
technology officer and cofounder of Veracode, an application-security 
assessment firm. “People and companies who are using it, and getting huge 
value out of it, are not giving a lot of money to keep it going.”

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/