The OpenSSL Heartbleed fiasco proves beyond any doubt what many people have suspected for a long time: Just because open source code is available for inspection doesn't mean it's actually being inspected and is secure.
It's an important point, as the security of open source software relies on large numbers of sufficiently knowledgeable programmers scrutinizing the code to root out and fix bugs promptly. This is summed up in Linus's Law: "Given enough eyeballs, all bugs are shallow."
But look at what happened with OpenSSL. Robin Seggelemann, a German programmer from Munster University, updated the OpenSLL code by adding a new Heartbeat keep-alive function. Unfortunately, he missed a necessary validation in his code to check that one particular variable had a realistic value. The member of the OpenSSL development team who checked the code before the update was released also missed it. This caused the Heartbleed bug.
One reviewer, even a handful of reviewers, can easily miss a trivial error such as this if they don't know there's a bug to be found. What's worrying is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers and in Web servers, yet no one in the open source community spotted it. Not enough eyeballs scrutinized the code.
Commercial Vendors Don't Review Open Source Code
Also alarming is that OpenSSL was used as a component in hardware products offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed Technology and Barracuda Networks - all of whom failed to scrutinize the code adequately before using it, according to Mamoon Yunus, CEO of Forum Systems, a secure cloud gateway vendor.
"You would think that it would be my responsibility as a vendor, if I commercialize OpenSSL, to put my eyeballs on it," he says. "You have to take a level of ownership of the code if you build a company based on an open source component."
Instead, Yunus believes vendors just regarded OpenSSL as a useful bolt-on to their hardware products - and, since it was open source, assumed other people were examining the code. "Everyone assumed other eyeballs were looking at it. They took the attitude that it was a million other people's responsibility to look at it, so it wasn't their responsibility," he says. "That's where the negligence comes in from an open source angle."
Yunus suggests that commercial vendors should run effective peer review programs for any open source code that they use, run static and dynamic analysis tools over it and "fuzz" the code to ensure it's as bug-free as possible. "What have these companies been doing for the last 10 or 15 years? If I were them, I would be taking a long, hard look at QA processes."
Sign up for Computerworld eNewsletters.