OpenSSL Gets Funding After HeartbleedNew Initiative Provides Money to Open Source Projects
The Open SSL Project is receiving an infusion of much-needed funding from the new Core Infrastructure Initiative. The move comes following the Heartbleed exploit that exposed a flaw in Open SSL, the cryptographic tool that provides communication security and privacy over the Internet.
The initiative, designed to provide funding for critical open-source projects, was created by The Linux Foundation, a not-for-profit consortium dedicated to fostering the growth of Linux and collaborative software development (see: Securing Open Source Post-Heartbleed).
The OpenSSL Project, an ongoing, collaborative volunteer effort that works on cryptographic functionality, will receive enough funding from the new initiative to hire two full-time core developers. The Open Crypto Audit Project, which provides technical assistance to open source software projects, will also receive funding to conduct a security audit of the OpenSSL code base.
The institute declined to reveal the level of funding to be provided.
"OpenSSL is one of the world's most widely used security libraries," Jim Zemlin, executive director at The Linux Foundation, tells Information Security Media Group. "It is our hope that the combination of a full audit of their code base by a third party, along with funding for core developers, will improve the quality of that code."
Matthew Green, a research professor of computer science at Johns Hopkins University and a co-founder of the Open Crypto Audit Project, says the security of the Internet depends on a small number of open-source projects. "This initiative puts the resources in place to ensure the long-term viability of those projects. It makes us all more secure," he says.
In addition to OpenSSL, the initiative will provide funding for work on Network Time Protocol and OpenSSH.
The newest members of the initiative are Adobe, Bloomberg, HP, Huawei and Salesforce.com. Other members are Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.
Before the formation of the Core Infrastructure Initiative, the OpenSSL Project faced significant financial challenges. Steve Marquess, co-founder and president of the OpenSSL Software Foundation, a corporate entity that represents the OpenSSL Project, revealed that OpenSSL typically received about $2,000 a year in donations. When news of Heartbleed broke, the foundation received almost $9,000 in donations, he says.
"Even if those donations continue to arrive at the same rate indefinitely (they won't), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess said in an open letter.
"While OpenSSL does 'belong to the people,' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."
Shirley Inscoe, a security analyst at Aite Group, says providing adequate funding for OpenSSL has never been more important. "In the current world, where security is not just important, but absolutely critical, this funding will allow some existing code that supports our infrastructure to be updated so it can continue to be relied upon," she says.
Ed Ferrara, vice president and principal analyst at Forrester Research, sees the funding as very good news for the OpenSSL Project, which operates on a shoe-string budget. "Some of the most important technologies that run the Internet today are global Web commerce and open source," he says. "They have become too valuable to leave to a completely volunteer team to maintain. Having staff that are able to focus on the technology can only be a good thing."
One concern for the Core Infrastructure Initiative moving forward is that participants may not identify all the projects that need attention in order to prioritize them appropriately, Inscoe says. "It's always much easier to bake adequate security in during development than to add it on after the fact," she says. "Some of these projects may be quite large, and if funding is limited, deserving projects may not get the attention needed."
The news that OpenSSL will receive funding comes as the Heartbleed bug continues to be an issue for organizations around the world (see: Heartbleed Bug: What Risks Remain?).
Although many of the risks associated with Heartbleed have been mitigated, some gaps still need to be addressed, especially patching internal systems that are using vulnerable OpenSSL versions, security experts say.
"Since the announcement, we're seeing Heartbleed vulnerabilities in the wild on the vast majority of penetration tests we do for clients that run a platform that could be susceptible to this bug," says Mike Weber, vice president at Coalfire Labs, a forensic investigations firm.