A few weeks ago, Zenoss published the first of a two-part interview with Susan Sons, senior systems analyst at Indiana University's Center for Applied Cybersecurity Research. This is the second part of that interview, where Susan and I discuss the future of OpenSSL, BASH, and open source security.
Andrew: What has been done to audit open source software, and how as the situation changed for OpenSSL?
Susan: The Linux Foundation spun up the Core Infrastructure Initiative (CII) in response to Heartbleed, and they've sponsored a great deal of work on the project. Unfortunately, this isn't an isolated case. There are a lot of OSS packages that we rely on for critical applications and just assume will work. How many are in dire straits?
Andrew: I mentioned Shellshock — an exploit for BASH — and Poodle as well — another OpenSSL exploit. What is the status of the BASH project, which is used by almost every major Linux distribution? (All except Ubuntu, I believe.)
Susan: To the best of my knowledge — and I admit to not be following this as closely as some others — BASH is still maintained by the Free Software Foundation. They did patch for Shellshock, but I haven't heard of any big systemic changes there.
Andrew: What about big, cash-laden companies like Canonical and Red Hat? Have they treated this as a threat to their core business and put resources into fixing these older, underlying projects that we depend on? I know that RHAT (Redhat Stock) just passed $1 billion USD in market share — certainly there's some money to ensure that the underlying free software they depend on is secure?
Susan: I haven't heard much from them, to be honest. I know they aren't funding ICEI, and I don't see them on CII's donor list on the front page.
Andrew: ICEI? That's a group I haven't heard of before. Can you tell me a bit about them?
Susan: ICEI is the Internet Civil Engineering Institute. It was founded by ESR (Eric S. Raymond) and a bunch of old-school hackers and forward-thinking folks from inside and outside the tech world. I took over as director a couple of months ago when Eric stepped down. Our mission is to support open source infrastructure software any way we can.
Andrew: So what you're saying is that the underlying social and technical problems that created these vulnerabilities do have some eyes on them now?
Susan: We're starting to get more eyes, but there aren't enough resources yet to pay people, to train people, and so on. It's not a solved problem.
Andrew: What can we expect to see over the next year as this problem gets solved? And will we continue to see fundamental flaws like Shellshock going forward?
Susan: There will be more monster [vulnerabilities]. However, expect them to become less common over time — assuming that programs like ICEI and CII are able to continue getting resources and pushing them at getting OSS infrastructure projects better resourced in terms of tools, expertise, and paid personnel.
I’d like to thank Susan for her time with this interview. She’s a longtime colleague of mine, and I will continue to bring you updates on what she’s working on in the future.