All alarms went off last week when a serious security flaw called Heartbleed in the OpenSSL cryptographic library was published. This library is used by a large part of the servers on the Internet as well as much security software.
As it could not be otherwise, the conspiracy theories claim this bug was introduced or abused for some time by the NSA. Anyway, this bug proves that Open Source software isn’t safer if nobody looks at it (it has taken two years to identify this bug!) and if secure development practices are not followed.
I do not know if the OpenSSL team follows any secure development framework but the fact that a single programmer can make changes to the code without any kind of validation ¿? is a much more serious mistake than the bug itself.
It is certainly a severe blow to the Open Source community that is often presented as safer since everyone can read the code. This bug makes clear that just being Open Source isn’t enough.
I will not get tired of repeating it: it doesn’t matter if you are Open Source software or commercial software, if your company only develops software for internal use or has an ISV that develops for you, it will never be secure software if not developed following a secure development framework such as MS SDL, BSIMM or OpenSAMM.
We hope that this bug is a wake-up call for anyone who develops software about the importance of security and investing in it.
I can also confirm that this bug works like a charm 😉
What do you think about this bug?
— Simon Roses Femerling
