Mamoon Yunus, Forum Systems CEO, was recently featured in Why Open Source Software Isn’t as Secure as You Think by Paul Rubens. The article dives into the potential issues with using open source code to manage secure information traffic, and talks specifically about OpenSSL and the major security flaw, Heartbleed.
Rubens brings up a critical point about the potential downside of open source code.
Just because open source code is available for inspection doesn’t mean it’s actually being inspected and is secure. It’s an important point, as the security of open source software relies on large numbers of sufficiently knowledgeable programmers scrutinizing the code to root out and fix bugs promptly.
Yunus points out the importance of reviewing and scrutinizing code that’s going into products.
You would think that it would be my responsibility as a vendor, if I commercialize OpenSSL, to put my eyeballs on it. You have to take a level of ownership of the code if you build a company based on an open source component.
Everyone assumed other eyeballs were looking at it. They took the attitude that it was a million other people’s responsibility to look at it, so it wasn’t their responsibility. That’s where the negligence comes in from an open source angle.
Yunus suggests that commercial vendors should run effective peer review programs for any open source code that they use, run static and dynamic analysis tools over it and “fuzz” the code to ensure it’s as bug-free as possible. “What have these companies been doing for the last 10 or 15 years? If I were them, I would be taking a long, hard look at QA processes.
The article later goes into the future of OpenSSL and what has been done since Heartbleed was discovered. To read the entire article, click here.