VIDEO: Why $3.6 million to prevent next Heartbleed isn’t enough

By Byron V. Acohido

A dozen tech behemoths — led by Microsoft, IBM, Google, Intel and Cisco — have stepped forward with cold, hard cash to prevent the next Heartbleed.

Each has pledged $100,000 annually for the next three years to a war chest earmarked to fund improvements of open source technology.

That’s a collective pledge of $3.6 million, through 2016, set aside in something called the Core Infrastructure Initiative, administered by The Linux Foundation.

Heartbleed is a simple, yet profound, coding flaw found in the widely used OpenSSL open source SSL/TLS.  At the end of the day, Heartbleed may force virtually all cryptographic keys and digital certificates underpinning Internet commerce to be replaced.

Heartbleed is a loud reminder that the commercial Internet wouldn’t be what it is today without open source computing code that is created and continually improved by volunteer programmers worldwide.

Historical  context: How Linux beat Microsoft in Munich

The Heartbleed flaw underscores  how half of the world’s Web servers have come to rely on a protocol developed by an open source project built largely on altruistic goodwill.

Because it’s free, open source core technology has become  central to hardware, software and services that make up our online world. Those systems, in turn, drive multi-billions is sales and profits to the Big 12. From that view, this funding from the Big 12 is long overdue and comparatively miniscule. The other seven contributors: Amazon Web Services, Facebook, Dell, Fujitsu, NetApp, RackSpace, and VMware.


“This is a great step in the right direction and a major nod to the importance of open source by some of the biggest vendors in the world,” says Mike Ellis, CEO and co-founder of ForgeRock, which supplies Identity Relationship Management systems. “The amount of money is without a doubt the secondary story here as it will have a small impact in the near term. It would be great to see even a greater embrace and investment in these types of initiatives by the big players.”

Kevin Bocek, VP of security strategy & threat intelligence at Venafi, concurs: “The trust in our digital world has been shattered, and the mechanisms intended to protect the Internet are still vulnerable. This consortium is a good start, but doesn’t go far enough.”

Some in the tech community believe that it’s long over due for the tech giants that have profited richly from open source systems to make material investments in shoring up the dikes. The  Internet at its core will always be a military-academic experiment in anonymous, distributed computing that was never intended to serve as secure infrastructure for global commerce.

“Our dependence on software requires development to be dynamic, distributed, and customized,” says Bocek. “This increasing dependence also requires security to be core to development processes and not an afterthought. Code becomes more trusted with increased visibility and input from getting the brightest people together to identify software bugs and vulnerabilities is powerful.”

From that view, $3.6 million over three years from  the Big 12, while welcomed, is a mere pittance. It means that opportunities will open up for third-party security vendors, and start-ups to fill the gap.

“In addition to supporting open source projects we recommend that more businesses look at commercial open source options and investment in commercial open source start-ups,” observes Ellis. “Unlike an open source initiative, commercial open source vendors are dedicated to providing production-ready and tested open source offerings. These go way beyond what typical open source projects do and they invest a great deal of money in building stable, next-generation platforms.

Ellis asserts that the rise of commercial open source technologies will “unhinge the open source world from proprietary companies that may have different competitive interests compared to the open source community which is focused on driving better and better innovations. The market decides what open source offerings have the best viability rather than the proprietary incumbent.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone