There’s no denying that the open source software movement has its benefits, but it’s not without its shortcomings either. This fact was demonstrated in full earlier this year, when Heartbleed took the Web by storm. The vulnerability’s effects were felt around the world and resulted in an almost unprecedented exposure of private data. For our June #SecChat, we sought to drive conversation about the past, present and future of open source and OpenSSL security, and how these practices should change in the wake of Heartbleed. Below are some highlights from the chat.
Can OpenSSL regain the trust it lost after Heartbleed?
We posed this question to our #SecChat participants and received a variety of answers—most leaning towards “yes.” @Dennis_London said that while it’s possible for OpenSSL to regain the credibility that it lost, it won’t fully return until more security guidelines are added to prevent future attacks. @IdeaGov gave a similar response, stating that trust would return—until the next vulnerability is exposed.
How can OpenSSL security improve to prevent future Heartbleed-like vulnerabilities?
In order for OpenSSL to regain credibility, it must provide assurance that proper code review takes place with each release to ensure secure implementation of the SSL and TLS protocols.it must adapt its security protocols. As the project increases in scale, it will only become a more desirable target for hackers. Such is life on the Internet. So what can be done? @IAmDaveCohen blamed Heartbleed on large amounts of quickly written code being passed through without proper QA. In response, both @TechJournalist and @SCADAhacker proposed virtual network solutions as potential open source security options. On the opposite end of the spectrum were those participants focused on a less predictable security issue—the human element. @IdeaGov suggested an increase in employee training to help prevent future breaches, with @SeanCSL agreeing that humans are indeed the weakest link.
Do branded bugs or vulnerabilities help organize discussion or do they cause unnecessary panic?
Weeks after Heartbleed was discovered, a second vulnerability within OpenSSL was identified—leading many to pull the ‘fire alarm’ in response. So, we asked #SecChat participants to share their thoughts on branded bugs or vulnerabilities, and whether or not they were beneficial or simply a media-tactic bringing unnecessary panic. @Munin said that branding ‘popular’ bugs and sensationalizing cyber attacks was a bad thing for the security industry. In response, #SecChat moderator @S_Karve countered with the point that it would provide motivation for others to pay attention. Meanwhile McAfee Labs’ @Fran_Maika straddled the fence on the topic, bringing up the AH1N1 virus, which provided greater awareness around the illness, but at the same time caused panic and fear among the public.
Where do you stand on branded bugs and the security of OpenSSL? Let us know in the comments.
Thanks once more to all who joined in for our June #SecChat. Feel free to read through the whole conversation on Twitter, and don’t forget to follow @McAfeeBusiness on Twitter for details about future chats!