After Heartbleed, Tech Giants Fund Open Source Security

  /     /     /  
Publicated : 22/11/2024   Category : security


After Heartbleed, Tech Giants Fund Open Source Security


In the wake of the Heartbleed vulnerability, 12 tech giants -- including Facebook, Google, IBM, and Microsoft -- each pledge $100,000 annually to improve core open source technology such as OpenSSL.



Android Security: 8 Signs Hackers Own Your Smartphone (Click image for larger view.)
The Linux Foundation Thursday announced that 12 leading technology firms have each pledged $100,000 per year, for the next three years, to fund open source projects. The new 
Core Infrastructure Initiative
represents the industrys response to the Heartbleed bug found earlier this year in the OpenSSL open source SSL/TLS protocol. The vulnerability highlighted that more than half of the worlds Web servers rely on a protocol developed by an open source project that only receives about $2,000 per year in donations, even as the Internet ecosystem has become much more complex, and interoperability requirements have increased.
There are certain projects that have not received the level of support commensurate with their importance, the Linux Foundation said in a statement. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced.
But thats about to change, with the first wave of Core Infrastructure Initiative supporters having now collectively pledged $1.2 million per year through 2016. Those 12 supporters are Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware.
The launch of the Core Infrastructure Initiative has been widely lauded. This is fantastic, Dan Kaminsky, chief scientist at White Ops, says via email, emphasizing that the open source technology that facilitated the rise of so many Internet businesses requires ongoing investment to remain useful, usable, and secure.
This isnt charity, he says of the initiative. Its just very wise business.
The effort represents leading technology players agreeing to get proactive when it comes to securing better and improving so many of the different pieces of technology that collectively form whats known as the Internet. This is not just about the money, but the forum,” Jim Zemlin, the executive director of the Linux Foundation,
told the New York Times
. Instead of responding to a crisis retroactively, this is an opportunity to identify crucial open-source projects in advance. Right now, nobody is having that conversation, and it’s an important conversation to have.
The first order of business will be examining OpenSSL, and potentially awarding fellowship funding for key developers, as well as allocating resources to bolster security, outside reviews, and patch-turnaround speed for the protocol, according to the Linux Foundation. But it emphasized that the overall effort will not be restricted to security-related issues.
Crucially, the Core Infrastructure Initiative also represents the technology industry putting its money where its mouth is. Theres an actual, stable commitment of money -- critical if theres to be full-time engineers hired to protect this infrastructure, says Kaminsky. Also important, he says, is the choice of a de-politicized nomenclature. Core Infrastructure is a great name that avoids the baggage of critical infrastructure while expressing the importance of attention, he says.
The launch of the initiative now paves the way for more businesses to get involved. We have said that OpenSSL, an important tool for millions of large organizations, needs more oversight and support, Marc Gaffan, chief business officer at Web application firewall vendor Incapsula, says via email. We’re happy to see the Linux Foundation step up to support OpenSSL and we look forward to the opportunity to participate in the program.
The Core Infrastructure launch isnt the only information security community change to have been triggered by the discovery of the Heartbleed bug, nor the only effort involved in repairing OpenSSL. In recent weeks, many security researchers have been
building related patches
, as well as
hammering away at OpenSSL
to try and identify any further bugs.
OpenBSD founder Theo de Raadt, for one, last week told DarkReading that his group was looking to nuke legacy code and risky code practices in OpenSSL, without breaking the code for anyone whos already using it. In particular, the group was eyeing OpenSSLs memory allocator, which de Raadt believes is vulnerable to attack. Based on those efforts, however, de Raadt this week announced that, rather than trying to salvage OpenSSL, the
OpenBSD community has instead forked OpenSSL
, and is building its own version of the free SSL/TLS protocol, which will be called LibreSSL.
Even so, expect others to continue investing time and energy in improving OpenSSL or making it more functional. Google, for example, earlier this year rolled out a new version of TLS for Chrome browsers, which required creating a new abstraction layer in OpenSSL. The new TLS protocol is designed to work three times as fast on devices that dont have built-in AES hardware acceleration, which includes most smartphones, as well as Google Glass and older PCs.
This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data, Elie Bursztein, Googles anti-abuse research lead -- and one of the four coders involved in the project -- said Thursday in a
blog post
.
NISTs cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the
Protecting Critical Infrastructure
issue of InformationWeek Government today.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
After Heartbleed, Tech Giants Fund Open Source Security