Post Heartbleed – some thoughts

April 11, 2014 – 4:25 pm by System Administrator

The HeartBleed issue has stuck the heart of the internet and extended its scope from just web sites to routers, smart phone operating systems. May be the International Space Station is also a victim. NASA?

OpenSSL was pervasively used, but that only 4 developers apparently worked on it.  It had $200 of donations. That seems pathetic and we deserve what we collectively put in.

I have not trusted developers to do a thorough job of testing the software they write. Even code reviews by skilled peers are not enough. It needs the eye and brains of a sharp tester to find issues with code.

I would advocate the following:-

-  Open Source software solutions to post the details of tests conducted on the software.

- Large well funded corporations and entities that use Open Source software MUST be obligated to contribute.

- Every piece of  software or service must declare software that they did not write themselves. This must be available via an API, like a manifest.

- Any entity or person that uses Open Source solutions must have a mechanism for registering their usage, so customers that depend on such solutions completely understand the risk.

- Startups are especially under risk here.  Personnel turn over frequenlty, documentation is not done well, they have few resources to respond to issues. CTOs – take note. Knowing your stack inside out is very very important.

- We have Emergency Alert Systems for potential disasters that could impact human life. With so much at stake in the Internet Economy, an alert system for software emergencies is clearly needed.

Krish

 

 

Sorry, comments for this entry are closed at this time.