Open Source: Still the Best Solution for Ensuring Safe Software

There’s no getting around it: 2014 was a tough year for open source software as two major vulnerabilities—Heartbleed and Shellshock bugs—received major mainstream media attention.

In case you’re unfamiliar with the Heartbleed incident, here’s what happened: A developer submitted a patch, or new software version, to a code reviewer at OpenSSL; it was an updated version of OpenSSL’s ubiquitous encryption software. The code, however, contained a critical security error that went unnoticed by the reviewer. The new software was officially released, and the problem was not discovered until March 2014 (about two years later). Ultimately, the error affected mostly everyone who used the Internet during that time period, as about 17 percent of the world’s secure websites, or half a million in total, were considered to be vulnerable at the time when Heartbleed was discovered.

Negative attention from the Heartbleed bug was compounded by the discovery of the equally infamous Shellshock bug, which had existed in the open source Bash software since 1989.

“Two brutal black eyes in such a short span made 2014 a very bad year for open source security,” explains InfoWorld Editor-in-Chief Eric Knorr in a recent article. “Yet at the same time, open source emerged in 2014 more clearly than ever as the engine of innovation for software. Could the need for software security be any greater?”

To answer Knorr’s question, it could not. According to Kaspersky Labs, for instance, the protection of confidential data against leakages is now the top priority for most of the companies polled in its 2014 Security Risks Survey.

Proof of positive public opinion toward open source software can be seen in the response to the security incident at OpenSSL. Following the discovery of the bug, Linux Foundation executive director Jim Zemlin formed the Core Infrastructure Initiative—which employs the likes of Amazon Web Services, Cisco, Dell, Facebook, Google and more—to continuously perform security audits for OpenSSL. Each company will contribute $100,000 for the next three years and will continue to monitor the open source software, searching for vulnerabilities so that this type of problem does not happen again.

As these companies prove by their steadfast commitment to open source, and despite the recently discovered Linux Ghost vulnerability, faith is still strong amongst leading U.S. technology companies that open source software is the best solution for keeping software safe.