Core Infrastructure Initiative to delve into security of OpenSSL, OpenSSH, Network Time Protocol

The Linux Foundation today announced the first protocols that it wants to address as part of its open-source code testing and security review. Not surprisingly, OpenSSL, where the infamous Heartbleed bug was discovered, is among them.

Called the Core Infrastructure Initiative (CII), the effort was created by several of the large tech companies, including Amazon Web Services, Cisco, Dell, Facebook, Microsoft, and IBM, in the aftermath of last month's Heartbleed crisis. Heartbleed was the serious vulnerability revealed last month in the OpenSSL encryption protocol and its widespread use in servers, client software and network and security products set off a global stampede to patch them and swap out digital certificates, in addition to changing passwords.In addition to funding a code audit of the OpenSSL protocol, CII today also said it's directing its security review efforts to two other widely-used protocols: OpenSSH and  Network Time Protocol (NTP). NTP has recently gained attention as a source of concern because it has been abused to generate denial-of-service attacks.

The CII group isn't specifying how much funding is being dedicated to these security reviews, but does say the entire CII effort has raised over $5 million from its founding members.

+ ALSO ON NETWORK WORLD Massive denial-of-service attacks pick up steam, new nefarious techniques | Background: Heartbleed was a headache but far from fatal +

The  CII intends to coordinate with the OpenSSL project to assist with two full-time core developers. The Open Crypto Audit Project is also expected to receive funding  from CII to conduct a security audit of the OpenSSL code base.

CII today also announced Adobe, Bloomberg, HP, Huawei and as additional members. CII also says it's established an advisory board and steering committee to identify open-source projects "most in need of support."

CII's Advisory Board members include Linux kernel developer Alan Cox; Matt Green of Open Crypto Audit Project; Dan Meredith of the Radio Free Asia's Open Technology Fund; Eben Moglen of Software Freedom Law Center; Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School; Eric Sears of the MacArthur Foundation; and Ted T'so, a file-system developer at Google and the Linux kernel community.

Jim Zemlin, executive director of The Linux Foundation, said, "All software development requires software and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today's global information infrastrcture." He added the aim of CII is to "move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need," adding CII is a forum to be able to do that.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Amazon Web ServicesThe Linux FoundationIBMsecuritylinux foundationMicrosoftWide Area NetworkNTPFacebookDell

More about Adobe SystemsAmazon Web ServicesAmazon Web ServicesBloombergCiscoDellFacebookFreedomGoogleHPHuaweiIBM AustraliaIDGLinuxMeredithMicrosoftSalesforce.comTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place