IT leadership placing too much trust in Heartbleed fixes?

IT leaders are missing the real point of the Heartbleed OpenSSL bug, says Evan Schuman in a column.

“Viewed properly, Heartbleed is a gift to IT: an urgent wake-up call to fundamental problems with how Internet security is addressed. If the call is heeded, we could see major improvements,” Schuman writes.

The problem as Schuman sees it is that the responses so far have mainly been a matter of doing patches, installing new certificates and changing passwords. While these steps are needed and positive, they may leave IT leaders with a false sense of security.

Schuman says that IT leaders are failing to draw Heartbleed’s most urgent lesson: that the way the security of mission-critical software is handled has to change.

The vast destructive potential represented by Heartbleed arose from a “trivial” oversight. A developer working on improvements to OpenSSL simply forgot to validate a variable containing a length. The slip-up also got past reviewers, despite the fact that the code was in a “security-relevant area.”

The oversight has had decidedly non-trivial results, and Schuman believes the fallout should be a wake-up call for IT leaders everywhere.

“The massive planet-destroying problem is that our safety mechanisms for simple math errors are all but nonexistent,” he writes. “If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix.”

Schuman says the fundamental problem may be excessive trust on the part of IT security managers, and quotes David Schoenberger, CIO of security vendor Transcertain, to make his point.

“This is going to make people rethink what we’re doing,” Schoenberger says. “There are so many things overlooked, taken for granted. In the IT world, we’ve relied on the trust factor for so long.”

Schoenberger points to the way IT managers in even very large enterprises simply count on peer-reviewed open source software to be secure, without taking time to check it out properly.

“Because something mostly works and, as far as perception goes, it works well, it passes all our tests,” Schoenberger says. “It sucks the way testing is occurring right now with open source. But I won’t even limit it to open source, as this could have happened to a commercial provider. Could have happened to anyone.”

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web