OpenSSL Project publishes roadmap to counter criticism
The project plans to implement code reviews, fix poor coding and have better documentation
IDG News Service - The OpenSSL Project is planning a number of changes to ensure its security component, used across millions of computers across the Internet, is in tip-top shape.
OpenSSL is an open-source code library that encrypts communications between a computer and a server using SSL/TLS (Secure Sockets Layer/Transport Layer Security). It is a fundamental defense for keeping e-commerce transactions, email and other data unreadable if the traffic is intercepted.
Confidence in OpenSSL was shaken in April after a two-year-old software vulnerability called "Heartbleed" was discovered that could allow an attacker to decrypt intercepted traffic or obtain data such as logins and passwords from servers.
The project has since come under heavy scrutiny, with critics noting the project was meagerly funded and staffed despite OpenSSL's wide use in a variety of software.
OpenSSL's roadmap is intended to counter the view that it is "slow-moving and insular," according to a post on the project's website.
Among the ongoing problems that the project plans to fix are a lack of code reviews, an inconsistent coding style, poor documentation, no platform strategy and no regular release cycle, according to the roadmap.
The group also plans to look at a large number of issues raised in its bug tracking system, many of which have never been reviewed.
Frustration with the OpenSSL Project led to the launch of a fork of the project called LibreSSL, which has been fixing bugs and rewriting bumpy parts of the OpenSSL code.
Google also announced it is developing its own fork of the software called "BoringSSL" that is more appropriate for its own projects. The company plans to strip out unneeded APIs (application programming interfaces) and ABIs (application binary interfaces) included in OpenSSL.
Google said it planned to share information on bugs it finds with LibreSSL and the OpenSSL Project.
Major technology companies also realized the need to shore up the OpenSSL Project, which the companies will support under the Core Infrastructure Initiative, a project designed to aid underfunded but important open-source projects.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- What is this "File Sync" Thing and Why Should I Care About It? All of a sudden, getting a file from your work laptop to your iPad became as simple as clicking "Save." So it's no...
- Charting Your Analytical Future - "Making predictive analytics part of your business processes" Webinar This session will show how predictive analytics can be used throughout the organization by anyone looking for answers and how organizations can make...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Cyberwarfare White Papers | Webcasts