Every day there seems to be a new vulnerability discovered and reported on. And yet, there was something very different about Heartbleed, a bug found to be residing at the very core of the web. Not only was its reach significant and wide ranging, but its implications will likely emerge as being of tremendous symbolic and tangible importance to both information security professionals and to the mainstream public because of how it changed many of our perceptions about computing.
Here, Joram Borenstein from NICE Actimize, a financial crime, risk and compliance solutions provider, examines five key ways in which Heartbleed has affected the security community three months on - and there not necessarily all bad.
Without Heartbleed, the recently announced and rapidly-pulled-together Core Infrastructure Initiative (CII), which funds open source projects that are in the critical path for core computing functions, would probably never have succeeded, or at least it would have gone unnoticed. It might have happened without much fanfare and - more importantly - without a key ingredient: funding. But powerhouses like Adobe, Amazon, Cisco, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Rackspace, VMWare, and others came together to financially support key open source initiatives and triage the those initiatives most in need of support and assistance. We are now (hopefully) at the dawn of a new age in which large technology firms are supporting critical pieces of open source infrastructure.
In turn, these positive developments have filtered down and alongside the three initial projects that CCI will be supporting (Network Time Protocol, OpenSSH, and OpenSSL), it's also heartening to see that other key projects such as the Open Crypto Audit Project will also soon benefit from this focus on cooperation, analysis, and technical support and on helping "evaluate open source projects that are essential to global computing infrastructure".
There is a saying that you should never put all your eggs in one basket. And yet Heartbleed demonstrated that this was exactly what the security industry had done. When the news first broke, there was a lot of initial focus onremediating vulnerable websites, followed by the subsequent realisation that the OpenSSL vulnerability impacted not only websites and online services, but also software packages such as virtualization products, firewalls, remote access tools, database design tools as well as numerous versions of router firmware, GNU/Linux distributions, and some versions of mobile operating systems. As the story unravelled it quickly became clear just how much we'd all come to rely on an open source project that was being run on a shoestring budget by a handful of extremely committed programmers. And with the clout to bring business to its knees.
As the Heartbleed OpenSSL incident became more widely known, the digital certificate-issuing authorities around the world also found themselves challenged to support the massive and sudden demand that literally appeared overnight at their collective doorstep. Although not a lot has been written about what is essentially a supply chain issue to do with equipping the relevant parties with enough new digital certificates in time, industry experts agree that this delay points to broader fundamental issues that are worthy of being addressed in the near future from a supply chain and infrastructure viewpoint. The fact that people are discussing this relatively esoteric and detailed topic is in and of itself a positive step and lends credence to the notion that awareness is a force multiplier when it comes to providing the mainstream public with an understanding of these rather technical issues.
The column inches dedicated to Heartbleed and Open SSL around the world were so significant that its discovery made front page news in several countries, that even those outside of the computing industry were aware of its discovery. This is important for two reasons. Firstly it helps people to take proactive action to amend their security settings and secondly security awareness up and down the ranks of management is a good thing. Other incidents that quickly followed, such as problems recently uncovered in the GnuTLS cryptographic library would probably never have even made the press, been discussed, and then been remediated in a reasonable manner had Heartbleed not blazed a trail for security awareness. This level of focus and interest is a good thing for our collective security.
Joseph Steinberg, the cybersecurity columnist for Forbes Magazine, wrote: "Some might argue that it (Heartbleed) is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet" and with the three months of hindsight that we now have, he probably wasn't exaggerating. That being said, Heartbleed also uncovered a number of issues within the wider industry that can now be addressed in order to create more secure environments for consumers, businesses, and governments alike.
Will our bank accounts be safer, the flow of our money more secure, or our personal information less vulnerable thanks to Heartbleed? Such predictions are indeed hard to foresee and only time will tell. But mainstream users are well on the path to absorbing the lessons of this intense experience that was managed primarily by chief technology officers and their teams. By unintentionally increasing visibility into this niche - yet critical - topic in our infrastructure, broader industry cooperation and knowledge sharing could lead to relatively rapid and tangible changes to the underlying computer infrastructure that we all rely on so heavily - and take for granted.