The larger security initiative at play
The OpenSSL audit is only one facet of the comprehensive strategy underway by the Linux Foundation, the CII and the OpenSSL team to fix the critical open-source implementation and Web security protocols as a whole. The CII is also funding two full-time OpenSSL developers, and is currently supporting not just OpenSSL but the GnuPG, OpenSSH and NTP open-source tools and protocols as well.
The foundation is also working on a Core Infrastructure Census and security best practices.
“OpenSSL is one of the most important and ubiquitous open-source projects in the world, used in literally billions of servers and devices,” said Jim Zemlin, executive director of the Linux Foundation. “Given the issues raised by Heartbleed and the acknowledgment that the code had not received sufficient attention for years, CII felt that an external audit could help surface additional insight and add confidence in the quality of the code.”
Zemlin explained that the audit is complementary to everything else the CII is doing, and now that OpenSSL has a stable codebase, any issues the audit uncovers could potentially apply not only to OpenSSL itself, but to parallel forks of the SSL/TLS scheme such as OpenBSD’s LibreSSL as well.
“An audit is only one of the areas in which CII is investing,” said Zemlin. “Auditing is expensive and is not guaranteed to find all issues, but is appropriate for the highest-impact projects. CII is working on other infrastructure tools that can be useful for projects of all sizes.”
NCC’s Ritter said CII has been the big backer behind the larger movement, driving the formation of this coalition behind the OpenSSL audit while also supporting its other infrastructure and testing initiatives. OCAP was brought in specifically on the audit side to guide the auditing proposal and review process through the input of its technical advisory board.
“Auditing is important, but if that was the only thing the Core Infrastructure Initiative did, it wouldn’t be nearly as successful,” said Ritter. “There are a lot of components in the software development life cycle, and auditing fits in there along with things like regression testing, interoperability review, testing on different platforms, etc.”
Looking ahead to the task at hand, Ritter said the audit team wants to make an impact beyond just fixing the immediate issues in OpenSSL. Cryptographic Services wants to provide tooling and test cases for larger computational efforts so others can run these experimental tools on a larger scale on new and existing code, as well as other open-source projects or TLS stacks to help secure the broader Internet.
An audit on this scale breeds opportunity for research and experimentation, and Ritter believed the coming changes to OpenSSL have the potential to impact not just Web servers, but also embedded clients, the Internet of Things and other interconnected devices running the protocol. As more and more things connected to the Internet are forced to deal with ever-more sophisticated malware attacks, he said it’s imperative to ensure client security is as strong as it can be.
“People have looked at OpenSSL before and reported bugs, but this is the first real overarching audit on a dedicated timeline to review portions of the codebase and audit it for security vulnerabilities,” said Ritter. “It complements a lot of the work that’s been done both in an ad hoc manner and by academic institutions, but the breadth and the scope of this audit is pretty unique, and as far as I’m aware, has never been done before on this scale for OpenSSL.”