IT leaders are missing the real point of the Heartbleed OpenSSL bug, says Evan Schuman in a Computerworld.com column.
“Viewed properly, Heartbleed is a gift to IT: an urgent wake-up call to fundamental problems with how Internet security is addressed. If the call is heeded, we could see major improvements,” Schuman writes.
The problem as Schuman sees it is that the responses so far have mainly been a matter of doing patches, installing new certificates and changing passwords. While these steps are needed and positive, they may leave IT leaders with a false sense of security.
Schuman says that IT leaders are failing to draw Heartbleed’s most urgent lesson: that the way the security of mission-critical software is handled has to change.
The vast destructive potential represented by Heartbleed arose from a “trivial” oversight. A developer working on improvements to OpenSSL simply forgot to validate a variable containing a length. The slip-up also got past reviewers, despite the fact that the code was in a “security-relevant area.”
The oversight has had decidedly non-trivial results, and Schuman believes the fallout should be a wake-up call for IT leaders everywhere.
“The massive planet-destroying problem is that our safety mechanisms for simple math errors are all but nonexistent,” he writes. “If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix.”
Schuman says the fundamental problem may be excessive trust on the part of IT security managers, and quotes David Schoenberger, CIO of security vendor Transcertain, to make his point.
“This is going to make people rethink what we’re doing,” Schoenberger says. “There are so many things overlooked, taken for granted. In the IT world, we’ve relied on the trust factor for so long.”
Schoenberger points to the way IT managers in even very large enterprises simply count on peer-reviewed open source software to be secure, without taking time to check it out properly.
“Because something mostly works and, as far as perception goes, it works well, it passes all our tests,” Schoenberger says. “It sucks the way testing is occurring right now with open source. But I won’t even limit it to open source, as this could have happened to a commercial provider. Could have happened to anyone.”