Critical 0-days in open source? The problem isn't code, it's CASH
Linux Foundation honcho talks turkey on funding war on vulns
Linux Foundation Executive Director Jim Zemlin thinks the information security world needs fewer surgeons and more personal trainers, and he's putting his organization's money where his mouth is.
Speaking at this year's Linux Foundation Collaboration Summit, an invite-only event taking place this week in Santa Rosa, California, Zemlin took a break from his customary Linux and open source cheerleading to stress that the open source community needs to do more to address security.
Last year's "Heartbleed" vulnerability in the OpenSSL encryption library, Zemlin said, was the wake-up call – and it was only the beginning.
"There have been a variety of high-profile attacks coming from open source projects that have resulted in real, true problems," Zemlin said. "Hundreds of millions of dollars in problems to remediate these vulnerabilities ... actual loss, in cases where those vulnerabilities were exploited."
Typically, the community addresses such issues the way a surgeon would: identifying the problem, operating to remediate them, and then moving on to the next crisis. A better approach, Zemlin said, would be to attack security more like a personal trainer.
"A personal trainer is painful and they stink to work with, day in and day out, but they basically keep you healthy so you don't go in to the doctor in the first place," Zemlin said.
That's the approach the Linux Foundation is taking with the Core Infrastructure Initiative (CII), an effort that it launched last year specifically to address Heartbleed but also to tackle security issues in other open source projects that are critical to the internet's overall well-being.
Since its inception, 20 major tech companies have signed on to participate in CII, including Amazon, Cisco, Google, HP, IBM, Intel, and Microsoft, among others. The initiative also boasts an advisory board that reads like a who's-who of open source luminaries.
One of the main ways that CII addresses the security problem is simply by providing funding for the developers who build and maintain critical open source software.
Earlier this month, GNU Privacy Guard developer Werner Koch revealed that he had been maintaining the project on around $25,000 per year, and that without additional funding he would have to abandon it. He's hardly alone.
Zemlin said that until recently, Harlan Stenn, maintainer of the Network Time Protocol daemon (NTPd) – essentially, the clock of the internet – was likewise earning around $25,000 per year. The OpenSSL Foundation, on the other hand, was raising less than $2,000 per year.
Eyeballs? What eyeballs?
Zemlin argued that the open source community – and the internet at large – can't afford to lose developers like these because of lack of funds. In the open source world, it's an oft-stated maxim that "given enough eyeballs, all bugs are shallow." But often the "eyeballs" just aren't there. In the case of OpenSSL, for example, what limited funds were available mainly went to two developers, Steve Henson and Steve Marquess.
"Not enough eyeballs? There are no eyeballs here," Zemlin said. "Two guys named Steve, and I hear they also have a very nice dog. The dog wasn't doing code review."
Since identifying this problem, CII has provided fellowships to two developers to work on OpenSSL full-time, in addition to offering funding to several other core open source projects.
But some of its cash also goes toward working with outside companies to conduct independent code audits of open source projects – in essence, creating eyeballs where previously there were none. An audit of all 500,000 lines of OpenSSL code has been underway since January, Zemlin said.
CII is also working to develop a set of security best practices that maintainers of open source projects can use to ensure that they're writing secure code to begin with.
And it is also conducting a census of major open source projects to identify which ones might be the source of the next Heartbleed, paying special attention to projects that are widely used but are very old, very complex, or have few developers maintaining them.
That's where the broader community can help, Zemlin said. For one thing, if there are other pieces of critical internet infrastructure that aren't getting the attention they require, the Linux Foundation would like to hear about it.
"We have resources to provide," Zemlin said. "We are looking to help."
Equally important, Zemlin said, he would like to see more interested companies joining the Core Infrastructure Initiative to help in the fight – and especially to help fund it, because CII's resources are far from infinite.
"We've raised about $6m over three years. $2m a year," Zemlin said. "I can tell you right now: It seems like a lot of money. It is not enough. It is not enough money to go out and do all of the things I've described today and do them well." ®