On page A5 of the April 24, 2014 issue of The Wall Street Journal, there is a full page “Paid Advertisement” with the title “Internet Security and Heartbleed.”
The ad, which is in the form of a letter from Klaus Brandstätter, CEO of software company HOB, touts HOB-SSL as a replacement for OpenSSL. The latter has been spread across the news lately because of a “catastrophic” error in OpenSSL. The error is nick-named Heartbleed and enables bad guys to access personal information more readily.
In his letter, Brandstätter suggests that the developer, who made the OpenSSL error, is “not particularly intelligent and does not possess the necessary basic knowledge.” However, even the most intelligent of programmers sometimes make mistakes. In the OpenSSL case, some of the blame for not catching the error before the updated program was released has been shared with the person responsible for testing the software. A comprehensive verification and validation testing program is essential to reducing software errors.
Brandstätter denigrates open source software and praises commercial software, particularly his software, claiming that “the vast majority of open-source software is of very poor quality.” The broad and successful adoption by major corporations, government agencies and academic institutions of open-source software, such as Apache, Android, Linux, Chrome, Firefox and OpenSSL, suggests that many open-source programs are indeed solid and effective products, and are well supported. Clearly there were deficiencies in the support of OpenSSL, as well as other open-source and commercial software, but that doesn’t mean that most open-source programs are less well supported than their commercial cousins. In some cases, the opposite is true. Indeed, some software makers have turned over older versions of their own commercial software, which they no longer are willing or able to support, to open-source communities to maintain.
For the most part, I am neutral with respect to open-source versus commercial software security. Open-source advocates hold that, because a large population of qualified software engineers has access to the source code, there are potentially many eyes focusing on it and discovering any flaws. Opponents of open-source claim that such visibility is dangerous because bad guys can see exactly what the programs do and therefore can subvert them. But much commercial-off-the-shelf software has major flaws also, as we recently saw with Microsoft’s Internet Explorer browser. On April 28, 2014, Jim Finkle of Reuters reported that “the U.S. and U.K. governments … advised computer users to consider using alternatives to … Internet Explorer.” Ironically, in the same article, a professor suggests using open-source Chrome and Firefox browsers until Microsoft comes up with a fix, which they have apparently.
While it is praiseworthy that HOB certifies its software in accordance with the Common Criteria, there are inherent limitations of this and other certification programs. The costly Common Criteria certification process can take years to complete, by which time the original software may have been replaced with newer versions to which the specific certification of the original software no longer applies. Furthermore certification usually pertains to a specific version of a software product, which is evaluated at a particular point in time and in a given environment. No certifications can account for the wide variety of contexts in which the software might operate.
Keeping secret one’s source code, which can be read by humans, is a double-edged sword. On the one hand, it is more difficult for those with malicious intentions to seek out vulnerabilities in hidden code. On the other hand, the lack of availability of source code does not allow full customer or third-party security testing. Some security companies have technologies that discover vulnerabilities by scanning object code (i.e., code that has been converted into a form immediately understandable by machines but not by humans), but that is not as effective as independent source code reviews, which software makers seem loathe to allow.
I agree with Brandstätter that software needs to be designed and developed according to stricter security architectures and secure coding standards and must undergo more stringent security reviews and certifications, particularly when the software supports crucial segments of the critical infrastructure.
Both the OpenSSL and the Internet Explorer flaws should alert the general public to the sorry state of software security, whether the software is open source, off the shelf, or home grown. Since no one has been able to demonstrate software as being totally secure according to some mathematical proof, how can we ever be sure that it is secure enough? I will not be too surprised if and when someone hacks into HOB-SSL … just to prove a point. After all, Brandstätter has thrown down the gauntlet.