http://www.technologyreview.com/news/527016/wheres-the-next-heartbleed-bug-lurking/
By Robert Lemos
MIT Technology Review
April 29, 2014
After causing widespread panic and changing of passwords, the Heartbleed
bug has largely disappeared from the news. Yet the implications of the
discovery are still being debated across the computer industry. The
biggest concern for security experts is how to preëmpt other flaws lurking
in the Internet’s foundations.
The Heartbleed bug was discovered earlier this month in a piece of
software called OpenSSL that is widely used to establish a secure
connection between Web browsers and servers by managing the cryptographic
keys involved. OpenSSL is an “open source” project, meaning that the
underlying code is published along with the software. Also, like many
other open-source efforts, it is maintained by a small group of volunteer
programmers (see “The Underfunded Project Keeping the Web Secure”).
The problem is being recognized by big software companies that rely on
efforts like OpenSSL. Last week, the Linux Foundation, which provides
support for the popular Linux operating system, launched an effort called
the Core Infrastructure Initiative to support small open-source projects.
Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell
have so far committed more than $3 million to the effort. A steering
committee will try to identify the open-source projects that most need
financial support.
“The problem with open source is that you have the ‘free rider’ problem,”
says Chris Wysopal, a well-known computer security expert and chief
technology officer and cofounder of Veracode, an application-security
assessment firm. “People and companies who are using it, and getting huge
value out of it, are not giving a lot of money to keep it going.”
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
