A year on from the public disclosure of the Heartbleed flaw and its fixed version, I spoke with Chris Wysopal, CTO and co-founder of Veracode, on the impact of the bug and the wider perspective upon open source software.
He acknowledged that it did have a quick fix once it was widely known, but really was there any impact? “If you look at the number of breaches that were attributed to it, there were some big ones but I could count them on my fingers which is nothing compared to the exposure which was 100,000s of machines and 1000s of organisations,” he said. “I’m sure there were more breaches but it was patched quickly, so it wasn’t such a disaster.”
So without the media attention, would this have been taken so seriously? Wysopal said that without the media attention, it would have been a week later before there was any major fix, and that could have created more breaches. However with more widespread issues cropping up now, he said that they are being taken more seriously and looking at statistics on patching, even for the highest criticality bugs it can still take months before things are patched.
He said: “Having things patched so quickly is a trend for the better, and we are waking up to the fact that being more and more reliant on open source components that have vulnerabilities in them. That’s the bad part, but the good part is we are more aware of it and taking action more quickly. “
Is there a change in patching attitudes, created by 2014’s major bugs? Wysopal said there was, particularly as the change he sees is with people wanting to patch quickly and looking for ways to understand where they are using or have deployed these open source systems that have these vulnerabilities.
He said: “The change now is that these vulnerabilities are in open source and not in a single vendor, so it is coming from a whole set of vendors and it has become more challenging patching problem, and people look for ways to patch across multiple vendors.”
Is it driving more interest in this not happening again? He said that as there is no liability in open source software, it lies upon the person running the application to be ultimately responsible. “They have to hold the supplier responsible, so certain vendors will have agreements but it is up to the vendor to do the right thing to be responsive to issues,” he said.
“In the open source space, you don’t have that as the people working on this are volunteers so they don’t have any feeling of responsibility apart from them wanting to do the right thing as software engineers.”
Wysopal praised the work of the Linux Foundation to fix OpenSSL in future, saying it makes sense as it is users saying “we are companies using a lot of this open source, we are ultimately responsible for protecting our customers data and we want to make sure we can help make the open source secure”.
He said: “I think that is moving in the right direction where the users of open source are taking some responsibility to fix it.”
Looking to the future, I asked Wysopal if he felt that in the future we would be better prepared to deal with such flaws? He said “absolutely”, as with Heartbleed and the other big bugs in 2014, more companies put processes in place to deal with these cross vendor vulnerabilities in dynamic ways.
In particular, this was done by scanning web applications deeper and using software composition analysis to look at the software inventory to look at these software libraries and finding the vulnerabilities very quickly. “Those are a couple of techniques we have seen our customers ask about so they can find where they are vulnerable very quickly and be more responsive,” he said.
“So we have seen people put together the technical solutions, and people and process solutions around that to get a team together and how to communicate to the customers that they are working on or have patched the problem.” He also acknowledged that some larger customers ask service providers to certify that they are fully patched against a vulnerability, and in particular financial services are asking suppliers after they have patched.
So 12 months on, Wysopal said that it is seeing new processes and technologies put in place to respond to these things, and lessons learned show that while Heartbleed caught a lot of people out, but the reaction could be more positive for the future.
Chris Wysopal, CTO and co-founder of Veracode, was talking to Dan Raywood