OpenSSL is an open source project, meaning its original source code is freely available for developers to use and modify. This brings plenty of benefits a wider pool of talent creating and enhancing code which is available for free but also negatives while many might be involved in the development of the code, very few are scrutinising it for flaws. <\/p>\n
There was common consensus that, because the OpenSSL code had been reviewed so many times, it must be secure. In reality, however, it was during one of these review cycles that the Heartbleed bug was introduced. <\/p>\n
This is not unique to open source code, the same could have occurred in a commercial development environment, as even the best developers cannot spot all the issues that lie in their code. <\/p>\n
However, the inherent problem with open source projects is that there are thousands of passionate developers but a real lack of passionate testers as American writer Kurt Vonnegut says, Another flaw in the human character is that everybody wants to build and nobody wants to do maintenance. <\/p>\n
So how do we prevent this in the future? The answer is not necessarily to stop using open source code but instead to realise measuring the code quality of a program is as important as the development of the program itself. <\/p>\n
The received wisdom is that open source software is often regarded as more secure than close source because in theory, the more people who contribute to and edit the software, the higher the quality. In reality the security from open source projects will come from not just a wealth of contributors, but from offering an unbiased way to measure the quality of the code being used across so many of our critical applications. <\/p>\n
Some programs are so critical to the world that their quality and security is paramount, and more needs to be done to ensure that they not only function correctly, but the code they are based on is well written and free of flaws. <\/p>\n
Google, Facebook and Amazon all rely on open source projects, like OpenSSL, for their success and need to take responsibility to ensure that any code they use is checked and measured. Those who benefit most from the gift of the web should also serve as guardians, making sure it can be used safely for mutual benefit. <\/p>\n
Damien Choizit is solutions engineer at software analysis and measurement company CAST. <\/p>\n
<\/p>\n