One of the benefits often cited for the use of open-source software is that because it is so widely available and open to review by developers, any security flaws will be caught sooner than with closed, proprietary systems. This week’s near-panic around the Heartbleed flaw in OpenSSL open-source encryption software, calls that contention into question. When you have internet security czars tell people to “stay off the internet,” there’s a problem.
The vulnerability, which afflicted popular web sites and networking gear from Cisco and Juniper, has been around for more than two years but was brought to light by researchers at Google and Codenomicon early this week. That’s a long time.
But the German programmer who claimed responsibility for contributing the flawed code in late 2011 told The Guardian that he, not the open source model is to blame. Robin Seggelemann said his update did what it was supposed to do — enable the “Heartbeat” feature in OpenSSL — but also accidentally created the vulnerability that caused all the hubbub.
Seggelemann said he “wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”
So why did the resulting vulnerability stay under the radar for so long? Because, in his view, OpenSSL, while widely deployed, is also under-funded. OpenSSL is “definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project,” he told the Guardian.
And that brings us back to the question of whether open-source software is always best compared to company-funded-and-supported commercial (paid) software. It’s good to debate the issue, but given the traction that Linux, Apache and perhaps OpenStack have gotten, this horse may have left the barn. And remember, commercial software companies haven’t exactly covered themselves in glory with regards to security. Most notably, security giant RSA reportedly shipped encryption software with a known backdoor.