Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

After Heartbleed, Tech Giants Fund Open Source Security
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2014 | 6:02:22 AM
Psychology Change for FOSS Hackers
For decades there has been a combination of scientist and hobbyist hackers in the Free and Open Source (FOSS) community.  On one hand you've had the very formal and high-tech programmers, doing development projects with lifecycles, and on the other a more artistic and experimental effort that includes varying levels of code quality, consistency of function usage/behavior and a variety of security features, from none to ironclad.  In between, lots of solid programmers delivering usable code every day.  Here's the thing: funding isn't everything - in some cases, it's worthless.  Requirements psychology is a huge part of delivering a secure application, whether you're a PhD from MIT or a weekend Python hacker.  In other words, be formal, experimental, hack the code or design the code, but you must still hold to a set of requirements to which the end result is compared, and these days security must be part of your application requirements set.  I keep hearing about time to test and how putting code through more intensive QA in some FOSS projects might prevent the next Google or Facebook from emerging.  And, various cash sums are called out to "throw" at projects like OpenSSL to help make it more secure.  This defeats the very reason there are "free" and "open source" projects out there.  These projects are about community, not salaries; about innovation and giving to society, not about cash flow.  This means that the FOSS developer community as well as the user community need to shift their psychology to include security at every level of the programs they write, from code to executables.  The same amount of care hackers take to write a useful new extension for something like GNU Emacs, for instance, should also be put to the security and quality of the overall program.  Security bugs like Heartbleed are not about project money - it's simply about getting the community to learn about, care about and do something about the code they agreed to support as FOSS advocates and developers.  FOSS gives to society, and that comes with added responsibility.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 10:48:41 AM
Re: Drop in the bucket
Thanks for putting that in context, Jon. That's quite a jump from $2000 a year to $1.2 million. It will be interesting to see how much added security that buys a year from now.
User Rank: Strategist
4/29/2014 | 10:06:29 AM
Re: Drop in the bucket
It's not much relative to the profits of those business, but compared to the $2,000 annually the project was receiving in donations before, $1.2 million is significant. The budget just went from $167 per month to $100,000 per month.

Honestly I'm impressed that they chose to do as much as they are, given that they don't have responsibility for the software.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:34:29 PM
Drop in the bucket
 A pledge of $100,000 per year from the likes of Facebook, Google, IBM, and Microsoft etc seems like chump change. Is there something more that the industry should be doing to shore up open source security?
User Rank: Ninja
4/27/2014 | 8:15:07 AM
problem was not funding
the heartbleed error is what we classify as a "data dependency".   this is sometimes a careless error but more often an attitude problem where the programmer asserts: "if you send me good data my program will work fine" -- i.e. "I shouldn't have to check what you send me because it's your responsibility to send me good data"

i hope there are no questions about the lesson in this case.    if you are programming you have to sanitize your inputs.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:59:16 PM
Re: About time!
You are exactly correct.  It has been (unconfirmed) reported that the NSA has upwards of 1000 employees whose responsibility is solely to exam open source projects for possible vulnerabilities.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/25/2014 | 2:52:20 PM
Re: About time!
The funny thing is that the NSA and other intelligence agencies have probably already conducted audits of this sort, at taxpayer expense, on many open source projects. If only they'd share what we've paid for.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:11:01 PM
About time!
It is a shame that it has taken this long for this pledge to come through.  OpenSSL is a critical piece in the security of many organizations and applications and it should have been audited long ago.

As someone who has dug through the OpenSSL source code I can tell you that it is a nest of spaghetti code.  There could be backdoors intentionally programmed into the code but without an audit we would never know.

Recently, the Open Crypto Audit Project has raised $80,000 to begin the audit process of the Truecrypt source code.  Phase I of that project has completed and while it did not find any backdoors it did identify several minor issues that could lead to vulnerabilities. 

This is what needs to be done for all open source products that we rely on for security.  Although the code is open source and available to all, no single person has the ability or time to review a project in it's entirety.  Therefore it is important that money and resources are allocated to review the code.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
4/25/2014 | 2:09:54 PM
Somebody Else Will Fix It
I'm pleased to see the vendor community step up to fund a project like this. I think the open source community model has demonstrated that it can be robust and effective for producing good software, but Heartbleed also revealed a weakness. In a community model, it's way too easy to assume that somebody else is taking a careful look at the code. If everybody assumes somebody else is doing it, no one is.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...