Choose your language:

Hong Kong
New Zealand
United Kingdom
United States
hacker with gloves

Heartbleed is making us re-evaluate security, but is it enough?

May 07, 2014

Described as the worst thing to happen to the Internet in the past decade, the Heartbleed vulnerability is a wake-up call to all of us. (Until Heartbleed, I was guilty of having the same password for multiple sites for multiple years). Even after the general public freaked out, changed passwords and checked bank accounts, the problems are not yet over. Alarmingly, an open challenge to hackers proved that Heartbleed could be used to steal security keys from vulnerable websites. So despite an updated password, a duplicate website with stolen security credentials could be used to entice visitors into giving up that information.

The Heartbleed vulnerability speaks to the fragility of the Internet, the excessive trust we place in open source, and the fact that there is little real governance of the Internet’s infrastructure. Clearly, the model of how code is created and reviewed needs to change.

Heartbleed’s story started in 2011 with a seemingly honest mistake on the part of the four-person coding team who had been working on improving OpenSSL. The mistake slipped past the coder who keyed it, past the colleague who reviewed it, and ended up introducing security vulnerabilities all around the world—by some estimates, over two-thirds of websites have been affected. Reporter Evan Shuman wrote meaningfully in Computerworld, “If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix.”

Heartbleed exists inside a library of software that’s managed—not by a corporation or government entity—but by a foundation. And there’s a serious sustainability problem with that. It means that the software is not as well-maintained or well-funded as it should be, issues that led to Heartbleed going unnoticed for two whole years.

One of Shuman’s main points is that we put too much trust in code that is written by a handful of people and peer reviewed. What’s needed is to create meaningful oversight to the infrastructure of the Internet. A group of tech industry heavyweights have taken a step in the right direction by forming the Core Infrastructure Initiative, an organization that will invest in open source projects to catch issues like Heartbleed and protect the public against security vulnerabilities. But the initiative isn’t a silver bullet.

The onus must also be put on companies who use the software, and who neglect to test it themselves to make sure it’s secure. As Heartbleed has proven, formal review procedures need to be developed. Additionally, companies—whether they’re using open source or commercial software—need to be proactive about their security. Having a process in place for a security team to conduct checks for holes is critical, so that vulnerabilities can be caught early. An internal and external incident response plan should also be put in place so that security issues, whether they affect employees, clients or the public, can be communicated and addressed efficiently. Having a security strategy in place is an imperative across all of a company’s functional areas in order to be prepared for worst-case scenarios like Heartbleed.

Blog Archive