OpenSSL Project publishes roadmap to counter criticism
The project plans to implement code reviews, fix poor coding and have better documentation
IDG News Service - The OpenSSL Project is planning a number of changes to ensure its security component, used across millions of computers across the Internet, is in tip-top shape.
OpenSSL is an open-source code library that encrypts communications between a computer and a server using SSL/TLS (Secure Sockets Layer/Transport Layer Security). It is a fundamental defense for keeping e-commerce transactions, email and other data unreadable if the traffic is intercepted.
Confidence in OpenSSL was shaken in April after a two-year-old software vulnerability called "Heartbleed" was discovered that could allow an attacker to decrypt intercepted traffic or obtain data such as logins and passwords from servers.
The project has since come under heavy scrutiny, with critics noting the project was meagerly funded and staffed despite OpenSSL's wide use in a variety of software.
OpenSSL's roadmap is intended to counter the view that it is "slow-moving and insular," according to a post on the project's website.
Among the ongoing problems that the project plans to fix are a lack of code reviews, an inconsistent coding style, poor documentation, no platform strategy and no regular release cycle, according to the roadmap.
The group also plans to look at a large number of issues raised in its bug tracking system, many of which have never been reviewed.
Frustration with the OpenSSL Project led to the launch of a fork of the project called LibreSSL, which has been fixing bugs and rewriting bumpy parts of the OpenSSL code.
Google also announced it is developing its own fork of the software called "BoringSSL" that is more appropriate for its own projects. The company plans to strip out unneeded APIs (application programming interfaces) and ABIs (application binary interfaces) included in OpenSSL.
Google said it planned to share information on bugs it finds with LibreSSL and the OpenSSL Project.
Major technology companies also realized the need to shore up the OpenSSL Project, which the companies will support under the Core Infrastructure Initiative, a project designed to aid underfunded but important open-source projects.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Cyberwarfare White Papers | Webcasts