C. Warren Axelrod

My Heart-bleed[s] for Open Source and Monocultures

To all supporters of ubiquitous open-source software … my sincere condolences. Who would have thought that the innocent mistake of a volunteer programmer trying to “improve” OpenSSL, and which was subsequently missed by a volunteer tester, would have led to what may turn out to have been the biggest security gaff in history. The Heartbleed bug supposedly affects some two-thirds of all websites.

Another major open-source software product is Apache, which is installed on about half of all active websites according to a report at http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html  Although Apache’s “market” share has been falling, it still operates on a sizable number of web servers so that, if it was shown to be vulnerable (as is OpenSSL), the impact could be enormous. So far, we have not seen a major Apache vulnerability. But that doesn’t mean one doesn’t exist.

To those who were concerned about the dangers of software monocultures … you were right! The report that raised this issue in a very public way was “CyberInsecurity: The Cost of Monopoly – How the Dominance of Microsoft’s Products Poses a Risk to Security.” It is no longer available in the original PDF format on the CCIA website, where it was originally posted, but can be read in HTML format athttp://cryptome.org/cyberinsecurity.htm  I wrote about monocultures in my March 30, 2009 BlogInfoSec column “Are System Monocultures More or Less Secure? Yes!” My position was somewhat neutral at the time, since Professors Fred Schneider and Ken Birman had presented good arguments against the proposition that monocultures are dangerous. (See the article “The Monoculture Risk Put into Context,” which appeared in the January/February 2009 issue of the IEEE Security & Privacy journal.)  Schneider and Birman presented strong arguments that system monocultures were more diverse than generally thought because software systems often ran in different contexts. Apparently not so for OpenSSL!

There was quite an active discussion of the security of FOSS (Free and Open Source Software) in the period around 2004-2008. For example, I wrote an article in the July 2006 issue of the ISSA Journal with the title “Does FOSS Pay? Weighing the Security Risks and Benefits of Open Source Software.” At that time my position was that the security of FOSS and COTS (Commercial Off-The-Shelf) software were about the same. However there can be support issues with open-source software, as Heartbleed has made only too evident. While many FOSS products may be adequately supported, there can be major problems if you want someone to fix a bug or add a feature, as came out of a study by Fortify, now HP Fortify. You can read about this study in a Network World article (July 21, 2008) by Ellen Messmer with the title “Open source software a security risk, study claims: ‘Go into this with your eyes wide open,’ says Howard Schmidt, former White House cybersecurity czar,” available at


In many regards, the bug in OpenSSL has opened up new discussions about the purported security of open-source software and the risks of monocultures. Both are real risks that need to be addressed in creative ways. Open-source software isn’t going away and preferred products will sometimes dominate the marketplace. We have been living with this situation for decades and will continue to do so.

However, that doesn’t mean that we should do nothing. There have to be strictly-enforced security requirements for FOSS and a means of paying for vulnerabilities to be fixed quickly has to be introduced. Also, there has to be a push to diversity. It’s comforting to know that you are using widely-installed software, but not so much if an attacker can take down a whole population. It really is a matter of compromise … more security, more diversity … but not too much! Go figure.

Author’s note: After I had first written this column, it was announced that the browser Internet Explorer (IE) from Microsoft (MS) contained a major vulnerability for which MS had no immediate patch. It was suggested that users do not run IE but turn to other browsers such as Chrome and Firefox (both open source!). So much for Microsoft’s SDL (Security Development Lifecycle), which the company has been touting ever since Bill Gates mandated the quest for trustworthy computing. I’m not saying that MS hasn’t greatly improved the security quality of its products … it indeed has. But it goes to show you that nobody can guarantee absolute security and that building security into software is still a very difficult task, for big, wealthy software makers and open-source communities alike.

Post a Comment

Your email is never published nor shared. Required fields are marked *