Last week marked the one year anniversary of the notorious Heartbleed vulnerability. Despite being dubbed, “potentially the most significant breach of Internet security ever,” it appears that not much has been done to improve the security of organizations at risk from Heartbleed.
According to research conducted by Venafi, 59% of Global 2000 firms in the US have not remediated their vulnerable public-facing systems.
The Open Source Flaw
This lack of remediation comes as no real surprise. Open-source software has no standardized, automated method of pushing out repairs of defective software en masse. Most updates must be initiated by the end-customer – assuming that the developer has a working update.
Another element to consider is that many organizations don’t even know which of their devices or software has open source flaws (some vendors don’t disclose this information until too late – if ever).
Given the limited understanding of systems owned, coupled with a lack of IT labor and expertise, most defective goods remain un-remediated.
The creation of products without an understanding of the risks involved, much less the fact that patched versions may not be tested nor distributed, says a lot about the vendors that embed open source in their offerings. It’s the hope of making a quick profit off of the hard work of other, uncompensated, people.
By personal experience, my company tried to update a pair of VPN/Firewalls to patch the Heartbleed vulnerability. We were left with two bricked devices and hours wasted arguing with an off-shore support department uninterested in resolving our problem.
Given this negative experience, we are now loathe to patch any embedded system ourselves because of the risk of permanently losing availability. We replaced the bricked devices with those from a manufacturer that patches its own systems. Now, every time I walk into our server room, I see the two dead devices and cringe at our stupidity in buying hardware that embeds open source.
Don’t get me wrong. I think open source is a great idea and provides wonderful benefits to society. However, those who use it should plan how to handle the updates that are inevitably needed.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.