by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : April 2015
CYBEREYE OPENSSL IS BACK AGAIN, about a year after it first made a splash with the now infamous Heartbleed bug revelation. This time around, however, it looks like it could be a good thing. Cryptography Services, a part of the Linux Foundation’s Core Infrastructure Initia- tive (CII), is going to audit OpenSSL security. It’s billed as an independent audit, even though the CII has been in- strumental over the past year in trying to right the OpenSSL ship by providing some of the money to get the beleaguered open source software full time development help. CII is a multi-million dollar project housed at the Linux Foundation to fund open source projects for core computing functions. Inspired by the Heartbleed OpenSSL crisis, the Initiative’s funds are administered by the Linux Foundation and directed by a steering group of industry backers. Heartbleed was a major shock to the cybersecurity ecosystem for several reasons: Not only is OpenSSL widely used in both public and pri- vate organizations’ network and system security, the cod- ing mistake that created it ap- parently went undetected for several years before it could be patched, and no one could say for certain how many systems had been affected or what data might have been compromised. The crisis created by that bug fed into a concern about open source software overall, with other threats such as the Shellshock vulnerability in the Linux and Unix operat- ing systems and a possible SQL injection attack on the popular Drupal content man- agement system adding to the worries. It’s not as if any of these major open source resources can easily be replaced. OpenSSL is reckoned to be used on up to two-thirds of existing web servers; Linux and Unix also drives many servers, and Drupal has become a reliable and flexible option for website operations, including those at the White House and other government agencies. Open source software isn’t alone in having security holes, of course, as many users of Microsoft, Apple, Adobe, Java and other pro- prietary software know. But open source security is seen as suffering from the same resource that’s considered its strength, namely an army of volunteer developers. On the one hand that leads to in- novation and fast turnaround of new features that users of open source crave but also to more opportunities for tam- pering and coding mistakes. According to Gartner, 95 percent of all mainstream IT organizations will leverage some element of open source software – directly or indi- rectly – within their mission- critical IT systems in 2015. At the scale, introducing vulner- abilities can be expected. In a recent analysis of more than 5,300 applications uploaded to its platform, Veracode, a security firm that runs a cloud-based vulnerability scanning service, found that third-party components intro- duce an average of 24 known vulnerabilities into each web application. Admittedly, others think all those volunteer develop- ers can also be a security strength, since it puts that many more eyeballs into reviewing code. However, the events of 2014 threw enough doubt onto the security of open source software that both industry and govern- ment have been moved to do something to improve it, from bills aimed at ensuring the software supply chain to proposals for controls on the use of third-party software components. At first glance, the Cryptog- raphy Services audit looks to be the most comprehensive and important of these ef- forts. According to the con- sultants that will be running it, the audit will cover a range of security concerns but will focus primarily on Transport Layer Security stacks and on protocol flow, state transi- tions and memory manage- ment. The audit may be the largest effort to date to review OpenSSL, the group said, and it’s “definitely the most pub- lic.” It will help to spot and fix bugs such as Heartbleed before they become the kind of problem they did last year. Preliminary results of the audit could be out by the beginning of the summer, Cryptography Services said. It should be eagerly an- ticipated, as the revelation of Heartbleed, Shellshock and other bugs hasn’t necessar- ily brought better security. Months after the initial an- nouncement of Heartbleed, around half of the 500,000 servers thought to be vulner- able from the bug had not been fixed. And the vulner- abilities keep on giving, with Cisco just one of the latest to say that its products had been affected. • Open source security is seen as suffering from the same resource that’s considered its strength, namely an army of volunteer developers. Massive OpenSSL audit hopes to squash Heartbleed-like bugs BY BRIAN ROBINSON CYBEREYE 14 GCN APRIL 2015 • GCN.COM 0415gcn_014.indd 14 3/30/15 9:14 AM