We're Still Here
The Heartbleed bug came and went, and the world is still here. We have seen yet another media hype that told us that this bug would change the world as we know it. It didn't happen. So is it time to move on? Nothing to see here? On the contrary.
The IT security world has two of the most important things ever to learn from this.
The Free and Open Source Promise Just Wasn't True
Indeed. There is plenty of wishful thinking around, just like this article about FOSS (Free and Open Source Software).
"And there's no way the limited set of developers and testers within those companies can test their products as well as the worldwide community constantly scrutinizing FOSS can."
So, let's have a look att this worldwide community that "constantly scrutinize open source software". The german newspaper Der Spiegel had an interview with the unlucky programmer that actually wrote the Heartbleed bug, according to Deutsche Welle.
"I've worked on OpenSSL and filed a number of bug fixes and new features. In one patch for a new feature I apparently overlooked a length check," the unnamed programmer told Der Spiegel, adding that, "the mistake itself is fairly trivial." He said the mistake was also overlooked by someone checking the work in the United Kingdom. Despite being exposed this week, the flaw has gone undetected for two years."
Let's see what we can learn from this:
- OpenSSL is security sortware, encryption stuff. This is the single area where peer review and independent QA is most accepted, required, and needed.
- Open SSL was used on two thirds of the web servers in the world. It's sheer deployment base should have caused legions of people doing QA for free.
- There was one (1) developer, and one (1) single QA person involved here.
These vast hordes of unpaid experts, doing security tests for free and for the common good, they just didn't exist. There are definetly some things to learn here.
Things Will Change
My next posts, coming up a few days from now, will cover two trends that I believe will shape the future of security testing. And to make my case clear: the Heartbleed bug really does a great job of highlighting why these changes are needed.
So, my next blog post will be about the changing technicalities of security testing. After that, I will write about the human factor and an unexpected key performance indicator to use when reviewing proposals for security testing projects.
Working at Cybercom, I have already seen these trends in the telecom industry and they are definetly moving into the security world as well. Things will change.
As Bob Dylan sang: "the present now will later be past". We're not into the IT industry because we want to hold on to the past, right?