Will Open-Source Money Prevent the Next Heartbleed?
NEWS ANALYSIS: The OpenSSL Software Foundation is now asking for money to help fund its efforts. Will it make a difference or is a different model needed?The Heartbleed security vulnerability dominated tech headlines last week as a critical risk to the foundation of the Internet. Heartbleed is a flaw within the open-source OpenSSL cryptographic library that is widely used on Linux servers and cloud services around the world. While OpenSSL is widely deployed, some have argued that it is not widely supported and that the open-source model itself might be at fault. Truth is that open source is not about cost; it's about code that is freely available to consume and contribute to. In the case of OpenSSL, the flaw was found in part because the code is open and the mitigation also happened because everyone has the code. That type of review and remediation mechanism is just not possible with closed source code, where end users and enterprises must wait for the closed-source vendor to release an update for everyone. As an example, take a look at how Microsoft handles security vulnerabilities in a closed source code product. Microsoft's Internet Explorer Web browser today is at risk from multiple zero-day flaws that were first publicly demonstrated at the Pwn2own hacking challenge in March. Hewlett-Packard, the sponsor of Pwn2own, only disclosed the flaw to Microsoft, so the risk isn't widespread.
Still, the simple fact of the matter remains that there are unpatched flaws. In the open-source model, you can't hide behind a closed door, which in my opinion, provides better security. Security in obscurity might work some of the time, but if you're secure in the open, you're likely better off.