Internet Security Aftermath

The Core Infrastructure Initiative (“CII”) was launched as an outcome of the recent Heartbleed OpenSSL security crisis. Technology’s largest companies have come together and donated to a multi-million dollar project to fund open source projects like Open SSL, managed by the Linux Foundation. In the first week, initial founding members such as Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware committed US$3.9m over the next three years.

The funding for the Open SSL open source project will allow the Linux Foundation to hire key developers, undertake third party security audits, test Internet infrastructure, and improve response times for patches. Open source software provides the foundation for much of the Internet infrastructure. Historically, the open source model has also produced high quality security software as found by the Coverity Open Scan study.

When we think of open source, Google, IBM, and Intel come to mind. It’s good to see the Blue Chip group of technology companies come to together as a whole. Microsoft’s Steve Lipner, Partner Director of Software Security says: “Security is an industry-wide concern requiring industry-wide collaboration”.

CII will form a steering committee of CII members, developers, industry expects, and stakeholders to identify open source projects in need of support. The Committee members will oversee project roadmaps, approve funding commitments, and add additional members (crypto experts). OpenSSL will maintain independently open source, as the founding companies are not interested in “close-sourcing” the project.

Can we sit back and relax with the technology industry working together to fund security infrastructure? NO, as we have a more recent example of major security flaws! According to a published research report from FireEye, hackers have been using an Internet Explorer (IE) remote execution vulnerability, especially in the defense, energy, and financial services industries. Microsoft released a patch on May 1st, 2014 for the zero-day Internet Explorer vulnerability known as 2963983 or (CVE-2014-1776). With a large market share (57.64%) of the browser market, everyone is asked to apply the security patches immediately. There is also an increased sense of urgency as Microsoft has recently stopped supporting the Windows XP operating system, which still enjoys a 26.29% market share (NetMarketShare April 2014).

The jury is still out on whether open source or closed source software results in more secure software.

For more information on the Core Infrastructure Initiative (CII), please visit:

http://www.linuxfoundation.org/programs/core-infrastructure-initiative

This is part two of a series on the Heartbleed security flaw. For a comprehensive overview of the Heartbleed issue, please read Part one: Heartbleed Security Flaw – The Good, Bad and Ugly.

 

Questions:

  • Will the Core Infrastructure Initiative bring back confidence to Open Source?

The CII funding is a shot in the arm for open source projects like Open SSL. This is a good start to improve the stability of the Internet and hopefully a direction for the better.

OpenSSL was created back in the 1990’s to build a common set of cryptographic libraries to allow software on the Internet to benefit from the security. It was difficult for many companies to build their own cryptographic libraries. The theory of having software reviewed by the entire open source community provides more scrutiny and eyeballs on the source code.

  • Will this prevent the next major Internet Security flaw?

Microsoft released a statement on Saturday April 28, 2014 regarding a zero-day exploit in the Internet Explorer (IE) browser. The vulnerability is a remote code execution vulnerability in IE versions six to eleven, and a patch has been released. Windows XP users are at most risk since the product is no longer officially supported and therefore users do not get these updates.

IE has had 275 vulnerabilities, 53 of which already have happened in this year to date.

Vulnerability in Internet Explorer Could Allow Remote Code Execution

  • Where will the next critical security breach happen?

With consumers and enterprises adopting cloud applications and increasingly using mobile devices such as smartphones and tablets (BYOD), we’ll likely see more major security issues and breaches in mobile and the cloud.

 

For more information on CII or Microsoft’s remote code execution vulnerability, please visit:

http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq

https://technet.microsoft.com/en-US/library/security/2963983

Leave a Reply

Your email address will not be published. Required fields are marked *