18 hours ago Apr. 11, 2014 - 8:38 AM PDT<\/p>\n
One of the benefits often cited for the use of open-source software is that because it is so widely available and open to review by developers, anysecurity flaws will be caught sooner than with closed, proprietary systems. This weeks near-panicaround the Heartbleed flaw in OpenSSL open-source encryption software, calls that contention into question. When you have internet security czars tell people to stay off the internet,theres a problem. <\/p>\n
The vulnerability, which afflicted popular web sites andnetworkinggear from Cisco and Juniper, has been around for more than two years but was brought to light by researchers at Google and Codenomiconearly this week. Thats a long time. <\/p>\n
But the German programmerwho claimed responsibility for contributingthe flawed code in late 2011 told The Guardianthat he, not the open source model is to blame. Robin Seggelemann said his update did what it was supposed to do enable theHeartbeat feature in OpenSSL but also accidentally created the vulnerability that caused all the hubbub. <\/p>\n
Seggelemann said hewrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version. <\/p>\n
So why didthe resulting vulnerabilitystayunder the radar forso long? Because, in his view, OpenSSL, while widely deployed, is also under-funded.OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project, he told the Guardian. <\/p>\n
And that brings us back to the question of whether open-source software is always best compared to company-funded-and-supported commercial (paid) software. Its good to debate the issue, but given the traction that Linux, Apache and perhaps OpenStack have gotten, this horse may haveleft the barn. And remember, commercial software companies havent exactly covered themselvesin glory with regards to security. Most notably,security giant RSAreportedly shipped encryptionsoftware witha known backdoor. <\/p>\n
Subscriber Content <\/p>\n
Subscriber content comes from Gigaom Research, bridging the gap between breaking news and long-tail research. Visit any of our reports to learn more and subscribe. <\/p>\n
<\/p>\n