informa
News

After Heartbleed, Tech Giants Fund Open Source Security

In the wake of the Heartbleed vulnerability, 12 tech giants -- including Facebook, Google, IBM, and Microsoft -- each pledge $100,000 annually to improve core open source technology such as OpenSSL.
Android Security: 8 Signs Hackers Own Your Smartphone
Android Security: 8 Signs Hackers Own Your Smartphone
(Click image for larger view.)

The Linux Foundation Thursday announced that 12 leading technology firms have each pledged $100,000 per year, for the next three years, to fund open source projects. The new Core Infrastructure Initiative represents the industry's response to the Heartbleed bug found earlier this year in the OpenSSL open source SSL/TLS protocol. The vulnerability highlighted that more than half of the world's Web servers rely on a protocol developed by an open source project that only receives about $2,000 per year in donations, even as the Internet ecosystem has become much more complex, and interoperability requirements have increased.

"There are certain projects that have not received the level of support commensurate with their importance," the Linux Foundation said in a statement. "As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced."

But that's about to change, with the first wave of Core Infrastructure Initiative supporters having now collectively pledged $1.2 million per year through 2016. Those 12 supporters are Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware.

The launch of the Core Infrastructure Initiative has been widely lauded. "This is fantastic," Dan Kaminsky, chief scientist at White Ops, says via email, emphasizing that the open source technology that facilitated the rise of so many Internet businesses requires ongoing investment to remain useful, usable, and secure.

"This isn't charity," he says of the initiative. "It's just very wise business."

The effort represents leading technology players agreeing to get proactive when it comes to securing better and improving so many of the different pieces of technology that collectively form what's known as the Internet. "This is not just about the money, but the forum,” Jim Zemlin, the executive director of the Linux Foundation, told the New York Times. "Instead of responding to a crisis retroactively, this is an opportunity to identify crucial open-source projects in advance. Right now, nobody is having that conversation, and it’s an important conversation to have."

The first order of business will be examining OpenSSL, and potentially awarding "fellowship funding for key developers," as well as allocating resources to bolster security, outside reviews, and patch-turnaround speed for the protocol, according to the Linux Foundation. But it emphasized that the overall effort "will not be restricted to security-related issues."

Crucially, the Core Infrastructure Initiative also represents the technology industry putting its money where its mouth is. "There's an actual, stable commitment of money -- critical if there's to be full-time engineers hired to protect this infrastructure," says Kaminsky. Also important, he says, is the choice of a de-politicized nomenclature. "'Core Infrastructure' is a great name that avoids the baggage of 'critical infrastructure' while expressing the importance of attention," he says.

The launch of the initiative now paves the way for more businesses to get involved. "We have said that OpenSSL, an important tool for millions of large organizations, needs more oversight and support," Marc Gaffan, chief business officer at Web application firewall vendor Incapsula, says via email. "We’re happy to see the Linux Foundation step up to support OpenSSL and we look forward to the opportunity to participate in the program."

The Core Infrastructure launch isn't the only information security community change to have been triggered by the discovery of the Heartbleed bug, nor the only effort involved in repairing OpenSSL. In recent weeks, many security researchers have been building related patches, as well as hammering away at OpenSSL to try and identify any further bugs.

OpenBSD founder Theo de Raadt, for one, last week told DarkReading that his group was looking to nuke legacy code and "risky code practices" in OpenSSL, without breaking the code for anyone who's already using it. In particular, the group was eyeing OpenSSL's memory allocator, which de Raadt believes is vulnerable to attack. Based on those efforts, however, de Raadt this week announced that, rather than trying to salvage OpenSSL, the OpenBSD community has instead forked OpenSSL, and is building its own version of the free SSL/TLS protocol, which will be called LibreSSL.

Even so, expect others to continue investing time and energy in improving OpenSSL or making it more functional. Google, for example, earlier this year rolled out a new version of TLS for Chrome browsers, which required creating a new abstraction layer in OpenSSL. The new TLS protocol is designed to work three times as fast on devices that don't have built-in AES hardware acceleration, which includes most smartphones, as well as Google Glass and older PCs.

"This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data," Elie Bursztein, Google's anti-abuse research lead -- and one of the four coders involved in the project -- said Thursday in a blog post.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

Recommended Reading: