Hey, has anyone heard about this Heartbleed security flaw thing? Just kidding… by this point, even the most casual follower of tech news has heard about Heartbleed. In short, a defect was found in an open source product that is widely used to encrypt data communications. Moreover, the defect has been present in production systems for over two years. The whole scenario illustrates both the benefits and problems with the Open Source movement.
First of all, I believe that Open Source software provides a tremendous benefit to the technology community. The whole movement illustrates what people can and will do when provided freedom and power to innovate. Many of the mainstay infrastructure components of the Internet have their roots in Open Source software — the Apache web server, the Mozilla browser and all its descendants, and, well, the entire Linux ecosystem, just to name a few.
If you are new to software development, invariably you will start with Linux and one of the Open Source scripting products such as Java, PHP, Python, etc. All these fully featured languages are available for free. In addition, many core Internet capabilities can be produced through Open Source applications, also free. While there can be a steep learning curve when using Open Source software, the software lends itself to the development of very powerful web applications at an extremely affordable cost.
The problems with Open Source occur once the software is published and develops a user base. When applications are released into the “wild,” software defects will emerge as users utilize the software in manners never envisioned by the developers. Chances are the defects are most likely located in code that the developer wrote, but occasionally the problems occur inside the Open Source software. Of course, the situation begs a simple question that sometimes doesn’t have a good answer — How do we get it fixed?
Classically speaking, developers of Open Source software work on a volunteer basis. Sometimes they develop software as part of an academic exercise; sometimes it’s in pursuit of a personal interest. When the software is functional (notice I use the word “complete”), the source code will be published so that others may use the work. Particularly useful software will develop a community of developers that update and improve the software. Mature projects may even implement formal defect tracking and release processes. But let’s be clear… the developers of organically grown Open Source projects aren’t getting rich. For example, the OpenSLL project, the software containing the Heartbleed defect, receives only about $2,000 per year in donations according to OpenSLL Software Foundation President Steve Marquess.
So if a start-up integrates Open Source code into their software and later finds a bug, who can they call? In short, maybe nobody. When the startup made the decision to include the Open Source, they effectively agreed to become part of the community that maintains and updates the software. Likewise when larger companies decide to go “Open Source” in order to reduce costs, they also become implicitly responsible, and possibly liable, for ensuring the proper execution of the Open Source components within their applications.
In the case of Heartbleed, the companies that blindly implemented the OpenSSL software did not perform enough inspection of the Open Source package. Now, the users of products manufactured by Google, Yahoo, IBM, Cisco, Netflix and more are potentially left vulnerable. Moving forward, these companies are relooking at the support given to the Open Source projects utilized in their products. The Linux Foundation has pledged $3.9 million to help OpenSLL and similar projects. In the meantime, check with your vendors and better get patchin’.