How the Tech World Turned Heartbleed Into a Net Positive
After a major exploit was discovered in a widely used piece of open-source security software, the tech industry found that the solution was to offer collective backing. Now the security platform is stronger than ever—and the Linux Foundation is looking to help similar open-source efforts.
A year and a half ago, a disastrous oversight in one of the internet’s most widely used security mechanisms provided a clear wake-up call for the tech world.
Heartbleed, a vulnerability in the basic infrastructure of OpenSSL, put hundreds of thousands of sites at risk when it was discovered last spring. The exploit surfaced a big problem with the way OpenSSL was managed: Although it was used by much of the internet, it barely had the funding it needed to function.
Companies like Google and Dell quickly stepped up to the plate with some necessary funds. Soon, new projects to maintain and manage OpenSSL surfaced in the form of open-source forks, putting the protocol’s fate in a much more secure spot than it was just a few years ago.
“If having a huge bug with slick branding is what it took to get powerful attention on OpenSSL, I wish it had happened way sooner,” Rapid7’s Tod Beardsley said at the DefCon security conference earlier this month, according to ComputerWeekly.
Help After Heartbleed
Now, the Linux Foundation is working to ensure that OpenSSL and similar projects don’t have to wait for a disaster just to get some basic maintenance. Last year, in the immediate aftermath of Heartbleed, the foundation announced its Core Infrastructure Initiative (CII), which has received millions in financial support from major corporations and funded a wide array of fundamental projects. The foundation now wants to take things a step further by using CII to highlight projects that are taking a well-considered approach to security through a newly announced badging program.
“Virtually every industry and business leverages open source and is therefore more interconnected and dependent on it than ever before,” the foundation wrote in a news release last week. “Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem for both seasoned CIOs and nimble developers.”
The foundation is asking for input from the public on what the badging program should include and has posted an early draft of the initiative on GitHub.
“By coming out early with some initial criteria, we hope that the community will quickly get involved and not only influence the questions, but also acknowledge how important it is for developers to be able to quickly assess the health of a project that they depend on,” Emily Ratliff, the Linux Foundation’s senior director of infrastructure security, said in a news release. “A free, credible badge system can fill this niche, ensuring that new projects depend only upon the healthiest open-source projects, thus improving our global internet infrastructure.”
Strength in Numbers
The foundation’s effort is inspiring. Too often, cybersecurity is treated as an internal problem—something that we have to solve on our own, lest we let the cat get out of the bag. The foundation is saying that everyone has a role to play, and that by working together, we can solve these problems before they become more serious.
Some of the best industry initiatives over the years—the Securities Industry and Financial Markets Association’s “Quantum Dawn” exercises, efforts by the retail and financial industries to focus on sharing information about cyberthreats, the American Council for Technology and Industry Advisory Council’s recent crowdsourcing campaign—vary widely in strategy, but they have one thing in common: Instead of focusing on what they can do internally to fix the security issue, organizations are leveraging the broader potential of collaboration.
The world of cybersecurity is full of horror stories of firewalls that have fallen to the wayside, leaving users vulnerable. Last week’s Ashley Madison saga is but one example of many. But for all the weak points that associations may have on technology issues, they have one particularly strong point: strength in numbers.
If we hope to protect our own homes, it’s time to start looking toward the community for help.