One of the problems with some open source software is there sometimes aren’t enough volunteer developers to comb through code to ensure there are no holes. That appears to have been the problem that led to the OpenSSL Heartbleed vulnerability discovered last month.
That’s about to change somewhat. Today the Linux Foundation announced a project called the Core Infrastructure Initiative that will fund fellowships for developers to work full time on open source projects, security audits, computing and test infrastructure. The money will cover travel and other support.
A steering committee has prioritized critical open source software projects for applicants including OpenSSL, OpenSSH and Network Time Protocol for the first round of funding. OpenSSL will receive funds from CII for two fulltime core developers. The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base.
“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” Jim Zemlin, executive director at The Linux Foundation, said in a statement announcing the initiative.
“CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”
OpenSSL is a widely-used cryptographic solution, but a vulnerability revealed last month led consternation around the world as Web sites were temporarily shuttered while the bug was fixed. However, Revenue Canada believes some 900 social insurance numbers were captured by attackers.
Heartbleed is the name given to a coding error in the open source implementation of the SSL and TSL encryption protocols called OpenSSL. The encryption is used to protect the transport of a wide range of data including private keys, user names and passwords held by public and private organizations. Briefly, part of the SSSL transaction involves a so-called heartbeat. The coding vulnerability allows someone to “bleed” out sensitive information held in memory through packets that trigger a buffer over-read.
OpenSSL developers have said one of the reasons the vulnerability was missed was because there weren’t enough eyes watching the code.
Initial members of the Core Infrastructure Initiative include some of the biggest names in IT who also use some open source code in their applications: Amazon Web Services, Cisco Systems, Dell Inc., Facebook, Fujitsu, Google, IBM Corp., Intel, Microsoft Corp., NetApp, Rackspace and VMware. They have just been joined by Adobe, Bloomberg, Hewlett-Packard Co., Huawei Technologies and Salesforce.com