Why is Open-source software not as secure as it is supposed to be?

OpenSSL Heartbleed's big fiasco shows no objection to what people have always suspected: just because open source code is just for checking, it doesn't mean it's completely checked out, but it's safe.

This is critical because the security of open source software relies entirely on a large number of professionally skilled programmers to detect code and quickly remove or fix code that contains bugs. This is also mentioned in Linus's law Linus: "If you have enough eyes, you can make all the problems come to mind." ”

But let's look at what happened after using OpenSSL. Robin Seggelemann, a programmer at the University of Munster in Germany, updates the OPENSLL code by adding a new heartbeat function, but unfortunately, he misses a necessary code validation to check for a particular variable that is realistic. Members of the OpenSSL development team did not check before releasing the updated version, which was the main cause of Heartbleed bugs.

If they think there's nothing wrong with the code, don't say it's an inspector, even a bunch of censors can't find a trivial mistake. This Heartbleed bug has been around for two years, inside the OPENSLL, in the browser, in the Web server, and eventually no open source community found it. Can it be blamed on not enough scrutiny of the eyes?

Business Channel lacks audit of open source code

Equally worrisome, OpenSSL has been used as an important component in hardware products that are made up of F5 NX, Citrix Bae, riverbed Marvell and Barracuda Commercial companies, such as NX, do not have enough auditing before using them. Security Cloud Gateway Manufacturer Forum BAE CEO Mamoon Yunus revealed the above content.

"If you commercialize OpenSSL, it is incumbent on you as a supplier to provide more eyeballs for auditing because once you plan to build a company based on open source components, ownership of the code is essential," he said.

However, Yunus believes that suppliers only care about OpenSSL as a useful bolt on their hardware products, and because it is open source, they assume that there are other developers who have tested the OpenSSL code and have no responsibility to audit it. "This is the result of an inadvertent approach to thinking from an open source perspective," he said. "Yunus suggests that commercial vendors should spend as much effort as possible to implement peer review systems on open source code and use static and dynamic analysis tools to ensure that the code is bug-free.

OpenSSL, TrueCrypt exposed to open source code audit short Board

Many open source projects now face the problem of the difficulty of clearly blaming Seggelemann or other OpenSSL teams, and implementing a rigorous standard code security audit is a time-consuming and demanding technical capability. In other words, the price is very expensive.

Here to introduce another Open source project: TrueCrypt encryption program. The project began ten years ago, and now it's safe and open, and interested people can watch it. But recently, with the fund-raising campaign on the Indiegogo and Fundfill Web site, a 60,000 dollar fund was raised to help TrueCrypt's code get through an appropriate security audit.

The code Auditor said: In general, the source code for the bootstrapper and the Windows kernel-driven sources do not meet the expected standard for the source code.

Worryingly, only after exposure did they recruit a lot of human resources for code review. The open source community has had ample opportunity to do this over the past 10 years, but the fact is that the community simply does not have the time, skills or resources (including money) to do the job correctly.

Hiding security is never a good idea, but once the vulnerabilities are released, they need to be repaired immediately. It is not clear whether the OpenSSL team can do this, the key is that the project has only a full-time maintainer, or whether the use of OpenSSL software or hardware products, including OpenSSL software itself needs to be updated and maintained in a timely manner.

Safety awareness should be strengthened in the post-heardbleed era

The good news now is that for those who care about the security of open source projects like OpenSSL, this is good news: Core Infrastructure Initiative (CII) will help these Open-source projects in its own way, CII is a Linux Foundation established new projects to deal with Heartbleed events. The goal is to send money to software projects such as OpenSSL that require money, because they are critical to the function of the Internet.

"Our global economy is built on many open source projects. "Jim Zemlin, executive director of the Linux Foundation, said. "We can now support more developers and defenders engaged in full-time maintenance, through their comprehensive support for important open source projects." ”

Support from CII may also include support for funding security audits, computing and testing infrastructure. So far, about 4 million dollars in fundraising has fully supported CII's maintenance of open source projects over the next three years, with donations from Google, Microsoft and Facebook.