Why open source software isn’t as secure as you think |

Paul Rubens | June 13, 2014

The security of open source software relies on the community spotting errors -- but Heartbleed and other recent events suggest that that's not happening.

The OpenSSL Heartbleed fiasco proves beyond any doubt what many people have suspected for a long time: Just because open source code is available for inspection doesn't mean it's actually being inspected and is secure.

It's an important point, as the security of open source software relies on large numbers of sufficiently knowledgeable programmers scrutinizing the code to root out and fix bugs promptly. This is summed up in Linus's Law: "Given enough eyeballs, all bugs are shallow."

But look at what happened with OpenSSL. Robin Seggelemann, a German programmer from Munster University, updated the OpenSLL code by adding a new Heartbeat keep-alive function. Unfortunately, he missed a necessary validation in his code to check that one particular variable had a realistic value. The member of the OpenSSL development team who checked the code before the update was released also missed it. This caused the Heartbleed bug.

One reviewer, even a handful of reviewers, can easily miss a trivial error such as this if they don't know there's a bug to be found. What's worrying is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers and in Web servers, yet no one in the open source community spotted it. Not enough eyeballs scrutinized the code.

Commercial Vendors Don't Review Open Source Code

Also alarming is that OpenSSL was used as a component in hardware products offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed Technology and Barracuda Networks - all of whom failed to scrutinize the code adequately before using it, according to Mamoon Yunus, CEO of Forum Systems, a secure cloud gateway vendor.

"You would think that it would be my responsibility as a vendor, if I commercialize OpenSSL, to put my eyeballs on it," he says. "You have to take a level of ownership of the code if you build a company based on an open source component."

Instead, Yunus believes vendors just regarded OpenSSL as a useful bolt-on to their hardware products - and, since it was open source, assumed other people were examining the code. "Everyone assumed other eyeballs were looking at it. They took the attitude that it was a million other people's responsibility to look at it, so it wasn't their responsibility," he says. "That's where the negligence comes in from an open source angle."

See original here:
Why open source software isn't as secure as you think

Wyplay’s Digital TV Middleware Source Code is Now Available to Members of the Frog by Wyplay Community [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
Find Open Source Alternatives to commercial software | Open ... [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
Open Source Initiative - Official Site [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
SCALE 11x: Evolution of an Open Source Software Foundation - Stephen Walli - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
Bitcoin Baron Keeps a Secretive Open Source OS Alive [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
osalt.com - Find Open Source Alternatives to commercial ... [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
Sustainability of Open Source software communities beyond a fork - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
Bringing MoreWomen to Free and Open Source Software - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
Acquia podcast with Sensio Labs UK - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
xTuple ERP + OrangeHRM Open source software leaders integration - Video [Last Updated On: January 22nd, 2014] [Originally Added On: January 22nd, 2014]
Guest articles setting out the author's position on the current status and future directions of KDE and its software [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
Open Source Power for Small Business in 2014 [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
EnterpriseDB Expands in Korea to Meet Rising Demand for Postgres [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
Introduction to FOSS - Free and Open Source Software - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
Out in the Open: Teenage Hacker Transforms Web Into One Giant Bitcoin Network [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
Who says that Open Source Software does not have support? By Rosaria Silipo - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
Microsoft Open Sources Its Internet Servers, Steps Into the Future [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
Microsoft cloud server designs for Facebook's Open Compute Project [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
Richard Stallman Free v Open Source Software - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
UK government looks to open source to cut costs [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
Free Software + $20 USB Dongle = Software Defined Radio, Hak5 1524 - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
Libreoffice 4.2 challenges Microsoft Office with improved Windows integration [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
Fallout 3 Let's Play Pt 6 - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
14 1 29 Tom G Open Source Software 1 - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
14 1 29 Tom G Open Source Software - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
How is open source software like great wine? - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
Free and open source software key for multicore hardware [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
Blender Tutorial - 2D Animation (1) Bone Rigging, Shape Character Planes by VscorpianC - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
Obama Bit Coin Conspiracy? - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
The Pentagon's Mad Science Is Going Open Source [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
The open source countdown has begun [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
BLOG: Why open source will rule the data centre [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
OpenDaylight Summit: SDN Needs Open Source and Open Standards [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
7 reasons not to use open source software [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
The Open Source Initiative | Open Source Initiative [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
Find Open Source Alternatives to commercial software ... [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
Has Linux Conquered the Cloud? [Last Updated On: February 13th, 2014] [Originally Added On: February 13th, 2014]
The New eRacks/NAS36 Rackmount Storage Server Achieves Price/Density Breakthrough: 100TB Storage in Only 4U for Under ... [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
2012 Red Hat Summit Build a PaaS using Open Source Software ~ Redhat Linux Video YouTube - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
Intel launches big data software suite - free to a good home [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
Three college students build a health provider search site in six weeks [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
The Asgard Show Episode 6 - Video [Last Updated On: February 16th, 2014] [Originally Added On: February 16th, 2014]
Open source startups: Don't try to be Red Hat [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
Open Source in the Enterprise: To Pay or Not to Pay? [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
DEF CON 12 - Wendy Seltzer and Seth Schoen, Hacking the Spectrum - Video [Last Updated On: February 18th, 2014] [Originally Added On: February 18th, 2014]
dev@Pulse Speaker Predictions - Jonathan Bryce - Video [Last Updated On: February 19th, 2014] [Originally Added On: February 19th, 2014]
Facebook Boosts Its Open Source Mojo With New Project [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
Raising Linux to Grow Open Source [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
Apple Veteran Named PayPal's First Head of Open Source Software [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
Open Source Software | 46 of 62 | MconneX - Video [Last Updated On: February 20th, 2014] [Originally Added On: February 20th, 2014]
News Flash from Redmond: FOSS Causes Dissatisfaction! [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
FOSS4G with Eric Brelsford - Video [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
NYLUG Presents: Mark Tolliver on Palamida. Application Security for Open Source Software (6/25/08) - Video [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
DARPA Open Catalog Makes Agency-Sponsored Software and Publications Available to All [Last Updated On: February 25th, 2014] [Originally Added On: February 25th, 2014]
Munich opts for open source groupware from Kolab [Last Updated On: February 26th, 2014] [Originally Added On: February 26th, 2014]
Modelling Hands Step by Step Using Free Open Source Software Seamless3d 3 - Video [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
Accelerating the Network with Open Source Software, Erik Ekudden | OpenDaylight Summit 2014 - Video [Last Updated On: February 27th, 2014] [Originally Added On: February 27th, 2014]
The Commercial Case for Open Source Software [Last Updated On: March 1st, 2014] [Originally Added On: March 1st, 2014]
Beginners guide to contributing to open source software - Video [Last Updated On: March 3rd, 2014] [Originally Added On: March 3rd, 2014]
Free Open Source Software [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
Open Source Software - Video [Last Updated On: March 4th, 2014] [Originally Added On: March 4th, 2014]
Open Source Software EDTC5325 - Video [Last Updated On: March 6th, 2014] [Originally Added On: March 6th, 2014]
Broadcom Announces Open Switch Pipeline Specification Targeting Growing SDN Application Ecosystem [Last Updated On: March 7th, 2014] [Originally Added On: March 7th, 2014]
RIT launches nation’s first minor in free and open source software and free culture [Last Updated On: March 7th, 2014] [Originally Added On: March 7th, 2014]
Forum created to push optical SDNs [Last Updated On: March 10th, 2014] [Originally Added On: March 10th, 2014]
Google embraces open source for 10th year of Summer of Code [Last Updated On: March 10th, 2014] [Originally Added On: March 10th, 2014]
Is Open Source Software The Answer to Oregon's IT Problems? [Last Updated On: March 11th, 2014] [Originally Added On: March 11th, 2014]
Spenden Ticketautomat mit Open Source Software auf der CeBIT 2014, CMS Garden - Video [Last Updated On: March 14th, 2014] [Originally Added On: March 14th, 2014]
2012 Red Hat Summit Build a PaaS using Open Source Software - Video [Last Updated On: March 14th, 2014] [Originally Added On: March 14th, 2014]
CyanogenMod receiving Linux New Media Award 2014 (Best Open Source Software App for Android) - Video [Last Updated On: March 15th, 2014] [Originally Added On: March 15th, 2014]
Real tech 25 Finding open source software you can trust - Video [Last Updated On: March 15th, 2014] [Originally Added On: March 15th, 2014]
Tor is building an anonymous instant messenger [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
MailPile is now in Alpha [Last Updated On: April 10th, 2017] [Originally Added On: March 15th, 2014]
$2,400 “Introduction to Linux” course will be free and online this summer [Last Updated On: April 10th, 2017] [Originally Added On: March 16th, 2014]
Linaro announces MediaTek as member [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
TN state departments asked to switch over to open source software [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
Open source project builds mobile networks without big carriers [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
Your U.S. government uses open source software, and loves it [Last Updated On: March 18th, 2014] [Originally Added On: March 18th, 2014]
Linux Goes to the Head of the Class [Last Updated On: March 22nd, 2014] [Originally Added On: March 22nd, 2014]
What is open source? - Definition from WhatIs.com [Last Updated On: March 23rd, 2014] [Originally Added On: March 23rd, 2014]