There are likely to be flaws in all software, in both those that are open source and closed.
Speaking to IT Security Guru, Mike Janke, CEO of Silent Circle, said he hated to be the pessimist, but he felt that there are flaws in just about everything. “The key is what type of flaw and what type of product?,” he said.
“For example, if there is a flaw in an Open Source code dump for a game, well does that really matter much? On the other hand, if your life, your company’s IP or your privacy is on the line with a piece of software (such as Silent Circle, PGP, Truecrypt, SSL etc) – then yeah, a flaw can be disastrous.
“It’s also why I cringe when I see yet another ‘disappearing text app’ or the new ‘privacy app’ on the market, that has been reviewed by nobody, is not open source yet gets tons of downloads because the user interface is slick? That is not good at all, because people in harm’s way may use it, because of some press it got, without understanding no one actually knows if it really works.”
Janke said he worried about Government side-deal backdoors and about proprietary encryption and non-open source security products as it puts it technology out to highly-paid security firm reviews and open source, “because there is no such thing as close enough in what we do”.
Janke mentioned that he was also worried about the “known of the unknown of products, solutions and software out there that haven’t had a deep bright light shone on them”. Janke said he was surprised by the sudden reaction to the Opens’ flaw that existed for two years, but also glad with the national press attention it gathered.
“It means the average ‘bedizen’ is now concerned and watching these sound bites. They may not understand it, but they are now paying attention. That is a huge step forward,” he said.
Janke explained that the news attention also benefitted the open source community. “I am delighted on the other hand that the open source community is getting more attention (lack of funds, lack of thorough reviews, etc). I hear so many people say ‘Oh, it’s open source, so that means the world’s eyes have inspected it, found the flaws and it can be trusted’. We know that is far from the truth. Of course, having 1,000 eyes inspect something all over the world, is better than four in-house engineers on a security team that review proprietary software, bless it and tens-of-millions of people use it because Cisco, Oracle or Microsoft says it’s good to go.
“I believe open source is always ten times better than anything proprietary, but most stacks that are out there are open source and do not command the net’s attention as much as one would hope.”
Commenting, Marty Roesch, VP and chief architect of the security business group at Cisco, and CTO and founder of Sourcefire, said he was not surprised by the amount of websites using OpenSSL, as it was as important for SSL as Snort was for intrusion detection.
“It’s a low friction way to roll out the capabilities, so why wouldn’t you use it? The fact that it had a substantial security bug in it shouldn’t surprise anyone as it is software and that has bugs, and the fact that it was in an open source project,” he said
“People believe that open source projects are immune to what happens to proprietary systems, but software is written under the view of the community, but if that is 99 per cent users and only one per cent developers, then no one ever did a security audit on it. You can have security bugs that languish on proprietary systems.”
Roesch said what was interesting with Heartbleed was how fast the community was at resolving the bug, and the rapid period of notification to resolution. “What has happened as a result is now some of the best security software teams there are starting to go through the code with a fine toothcomb and not just audit the code, but are rewriting sections of the code that they think are insufficiently safe and fixing them.”