Heartbleed Remains a Risk 2 Years After It Was Reported
Additionally, there are coding style guidelines, and the OpenSSL project is receiving more fixes via GitHub. Ratliff noted that the OpenSSL team has implemented continuous integration and has several cross-compiles running on a build farm provided by Cisco. CII has also funded an external audit of the OpenSSL code base to further validate security. "While not credited to CII, OpenSSL has also gained additional scrutiny from ethical hackers at Google who are now also evaluating the code—sort of an independent code audit," Ratliff said. "This level of review has actually increased the flow of security vulnerabilities in the short term; however, in the long term, these activities are very positive for the project." Red Hat's Bressers agreed with the notion that OpenSSL is improving and the CII is having a positive impact. He noted that Red Hat supports the CII's mission, as it aligns directly with Red Hat's in bolstering support for open-source innovation at the community level. "Looking just at OpenSSL, the number of total bugs closed has increased while the number of open bugs has sharply decreased," Bressers said. "And less bugs, particularly potentially dangerous bugs like Heartbleed, are always a positive for Red Hat and our customer base.""It showed us there's a major need to build a pre-emptive, cohesive system absent of any one company's individual priorities to safeguard the Internet today and into the future," Ratliff said. "What's needed is quantitative and qualitative analysis of security of software, both closed and open, to safeguard corporations and individuals." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The Heartbleed vulnerability, in many respects, was a watershed moment for the security industry. Heartbleed, Ratliff said, uncovered a major gap in how we protect and secure the technology we use every day.