There is a greater interest in fixing bugs after a year of major flaws were revealed.
12 months on from the public revelation of the Heartbleed bug in the widely deployed OpenSSL software, industry experts claim that there is a renewed focus on fixing bugs faster. In an email to IT Security Guru, Robert Hansen, VP of WhiteHat Labs, said that he thought there had been a much greater interest in looking at technologies that we have all assumed were safe.
“The TrueCrypt audit was a great example of that, and the subsequent audits of OpenSSL post Heartbleed,” he said. “Still though there are countless libraries that we rely on that have not been carefully scrutinised, so while the intent is good, there is a large amount of mountain ahead of us yet to climb.”
Luis Corrons, technical director of PandaLabs, said that he felt that the bugs had helped “a bit” as we have been dealing with vulnerabilities for decades and it is still one of the favourite ways to hack and infect computers nowadays.
“It is true that Heartbleed was a big one and it was in the news, which made people realise the severity of these security holes, but there is still a lot of (educational) work to do in order to have companies patching all their systems,” he said.
Chandra Sekar, senior director of product strategy at Illumio said that the fact that so many systems are still vulnerable highlights the problem of relying on manual processes to monitor and remediate issues.
“Security must be integrated with DevOps processes in order to automate and expedite delivery and remediation,” Sekar said.
Phil Lieberman, CEO of Lieberman Software Corporation said that as open-source based software has no standardised (and even more important) automated method of pushing repairs of defective software en masse, the lack of remediation is expected as most upgrades must be initiated by the end-user.
He said: “Many organisations don’t even know what devices or software they purchased which have open source with flaws (many companies don’t disclose it until too late or never). Given the lack of understanding of what is owned, coupled with a lack of labour and expertise to patch them, most of the defective goods go un-remediated.”
Mike Janke, chairman of Silent Circle, said that he does see a renewed focus due to this incident, but the real issue is that no one is ensuring the basics are being done right the first time, and he said it is not being taught as a priority today.