By Barry Levine / CIO Today. Updated April 21, 2014.
Fallout and followup continue from Heartbleed, the vulnerability recently discovered in some versions of the widely used OpenSSL encrypting software. Some reports indicate that the vast majority of Web sites have patched themselves, and there are some questions being asked about the overall reliability of open-source programs.
Security firm Sucuri Security has scanned the top million Web sites for Heartbleed vulnerability. In a posting last week on its corporate blog, Sucuri said it found none of the top 1,000 sites vulnerable, only 0.53 percent of the top 10,000, 1.5 percent of the top 100,0000 and 2 percent of the top 1 million.
But Avivah Litan, a security analyst with industry research Gartner, told us she was "not so convinced" that only a tiny percentage remain vulnerable.
She pointed particularly to financial-sector sites, which, she said, "owe it to consumers" to let them know if they need to change their passwords or if all is OK. In addition, she pointed out, "thousands of community banks rely on service providers," and their status is similarly unclear.
Overall, Litan said she was "actually very disappointed" with the response by many sites in making their status clear, especially those that conduct financial transactions.
A poll by the Huffington Post and YouGov found that only 23 percent of responding Web users have checked to see if the Web sites they use have been affected by the bug. Slightly more than 38 percent have changed their passwords.
Meanwhile, the fallout includes some hits on whether open-source software is up to the task of providing solutions for key infrastructure. Some observers are noting that the OpenSSL Software Foundation, tasked with overseeing OpenSSL, is run by two full-time employees, a handful of volunteers, and a small budget.
'You Get What You Pay For'
Additionally, the bug became part of the code about two years ago, so it's taken that long for the error to be discovered. In fact, Steve Marquess, president of the OpenSSL Foundation, said in a recent open letter that "the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."
There are also reports that Google knew about the vulnerability a fair amount of time before it became widely known. According to the time stamp on the patch file that Google developed and sent to OpenSSL for distribution, the tech giant developed and implemented the patch internally more than a week before it notified OpenSSL about the issue.
One question that is being raised is whether a key piece of software that is used on the sites of Amazon, Yahoo, the FBI, Android smartphones and in the software of U.S. military weapons systems, among many other implementations, should be developed and maintained by an open-source community.
Gartner's Litan told us that, with open source, "at least it's transparent," which she said was more than could be said for many commercial software packages where the source code is not available and bugs may not be publicized. Commercial software companies, she pointed out, "have no obligation to report their vulnerabilities."
On the other hand, she noted that there's the principle of "you get what you pay for," and that there's an argument against using open-source software for critical infrastructure.