Tech titan funding just a start in securing critical open-source projects

Major tech companies' funding commitments to support critical open-source projects is only the first step in preventing another industry-disrupting OpenSSL Heartbleed bug, security experts say.

The several millions of dollars expected to go into the Core Infrastructure Initiative announced Thursday needs to be spent on building processes for secure development and quality assurance, experts told CSOonline. Without a functioning organization in each project, flaws would continue to go unnoticed.

[How to defend against the OpenSSL Heartbleed flaw]

In the case of the OpenSSL Project, it had just one full-time employee and received only $2,000 a year in donations. This meager funding contributed to the bug going undetected for two years.

Successful open-source projects, such as those behind the Apache Web server or Linux operating system, have a leadership group responsible for secure development, Marc Hoit, vice chancellor for information technology at North Carolina State University, said.

"All open-source or community-based projects, or actually for that matter (commercial) projects, need not only funding, but also a champion to kind of steer them along," Hoit said.

The roster behind the CII is impressive. It includes Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.

However, the amount of money that would go into the initiative was not announced nor how the effort would be organized. Ars Technica reported that the group committed to at least a three-year commitment and $3.9 million in funding.

Besides money, the tech companies will have to donate experts from their own staff to help drive development efforts and create testing and maintenance procedures.

Open source projects that had such commercial support flourished, Paul Henry, a senior instructor at the SANS Institute, said.

"Further, there has been significant funding for numerous open-source projects by the U.S. government," he pointed out.

Examples of open-source software that have morphed into commercial products include Snort, a network intrusion prevention system now developed by Cisco-owned Sourefire.

ForgeRock has built a business around an open-source identity management stack. Chief Executive Mike Ellis said developing open-source software for the enterprise requires a "formal product development structure to be properly hardened and secure."

"This involves architects, developers, quality assurance, sustaining engineers, and so on," he said. "There needs to be a serious commitment to building a project structure and taking it from a hobby to a commercial grade product."

Besides funding more secure development efforts, money from the CII could also be used for bug bounty programs, Wolfgang Kandek, chief technology officer for Qualys, said.

"I see bug bounties as a great mechanism to get talent interested in positive computer security," he said.

The OpenSSL flaw was critical, because it compromised the wide variety of hardware and software that used the technology to secure communications between Web servers and PCS and mobile devices. All affected technology had to be patched or taken offline to avoid a potential breach.

[ urges password resets due to Heartbleed]

Given the damage caused by the OpenSSL flaw, there was no excuse for the industry's lack of support before the bug was discovered, Joseph DeMesy, senior security analyst for consultancy Bishop Fox, said.

"It is reckless of the industry to so heavily depend upon these projects and not adequately support them financially or otherwise," DeMesy said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Developmentvulnerability managementsecurityapplication securityAccess control and authenticationCSOapplication security best practicesOpen source initiatives

More about Amazon Web ServicesAmazon Web ServicesApacheCiscoDellFacebookFujitsu AustraliaGoogleIBM AustraliaIntelLinuxMicrosoftNetAppNetAppQualysRackspaceSANS InstituteVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place