Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 9 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

In defence of open source software

by The Gurus
April 13, 2015
in This Week's Gurus
Share on FacebookShare on Twitter

A year on from the public disclosure of the Heartbleed flaw and its fixed version, I spoke with Chris Wysopal, CTO and co-founder of Veracode, on the impact of the bug and the wider perspective upon open source software.
He acknowledged that it did have a quick fix once it was widely known, but really was there any impact? “If you look at the number of breaches that were attributed to it, there were some big ones but I could count them on my fingers which is nothing compared to the exposure which was 100,000s of machines and 1000s of organisations,” he said. “I’m sure there were more breaches but it was patched quickly, so it wasn’t such a disaster.”
So without the media attention, would this have been taken so seriously? Wysopal said that without the media attention, it would have been a week later before there was any major fix, and that could have created more breaches. However with more widespread issues cropping up now, he said that they are being taken more seriously and looking at statistics on patching, even for the highest criticality bugs it can still take months before things are patched.
He said: “Having things patched so quickly is a trend for the better, and we are waking up to the fact that being more and more reliant on open source components that have vulnerabilities in them. That’s the bad part, but the good part is we are more aware of it and taking action more quickly. “
Is there a change in patching attitudes, created by 2014’s major bugs? Wysopal said there was, particularly as the change he sees is with people wanting to patch quickly and looking for ways to understand where they are using or have deployed these open source systems that have these vulnerabilities.
He said: “The change now is that these vulnerabilities are in open source and not in a single vendor, so it is coming from a whole set of vendors and it has become more challenging patching problem, and people look for ways to patch across multiple vendors.”
Is it driving more interest in this not happening again? He said that as there is no liability in open source software, it lies upon the person running the application to be ultimately responsible. “They have to hold the supplier responsible, so certain vendors will have agreements but it is up to the vendor to do the right thing to be responsive to issues,” he said.
“In the open source space, you don’t have that as the people working on this are volunteers so they don’t have any feeling of responsibility apart from them wanting to do the right thing as software engineers.”
Wysopal praised the work of the Linux Foundation to fix OpenSSL in future, saying it makes sense as it is users saying “we are companies using a lot of this open source, we are ultimately responsible for protecting our customers data and we want to make sure we can help make the open source secure”.
He said: “I think that is moving in the right direction where the users of open source are taking some responsibility to fix it.”
Looking to the future, I asked Wysopal if he felt that in the future we would be better prepared to deal with such flaws? He said “absolutely”, as with Heartbleed and the other big bugs in 2014, more companies put processes in place to deal with these cross vendor vulnerabilities in dynamic ways.
In particular, this was done by scanning web applications deeper and using software composition analysis to look at the software inventory to look at these software libraries and finding the vulnerabilities very quickly. “Those are a couple of techniques we have seen our customers ask about so they can find where they are vulnerable very quickly and be more responsive,” he said.
“So we have seen people put together the technical solutions, and people and process solutions around that to get a team together and how to communicate to the customers that they are working on or have patched the problem.” He also acknowledged that some larger customers ask service providers to certify that they are fully patched against a vulnerability, and in particular financial services are asking suppliers after they have patched.
So 12 months on, Wysopal said that it is seeing new processes and technologies put in place to respond to these things, and lessons learned show that while Heartbleed caught a lot of people out, but the reaction could be more positive for the future.
 
Chris Wysopal, CTO and co-founder of Veracode, was talking to Dan Raywood

FacebookTweetLinkedIn
Tags: FlawHeartbleedOpen SourceVulnerability
ShareTweetShare
Previous Post

Cyber Security Show – Speak in the board's language to get their attention

Next Post

FireMon completes acquisition of Immediate Insight

Recent News

Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN

February 7, 2023
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks

UK second most targeted nation behind America for Ransomware

February 7, 2023
safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information