However, awareness is just one issue. Months after Heartbleed broke, I wrote of several further vulnerabilities in OpenSSL that had also emerged. Although each vulnerability discovered is theoretically a vulnerability fixed, it highlights the fact that this is still much work to be done. This is particularly true of open source software.
Open source software has several major benefits and will be around for a long time yet, but vulnerabilities such as Heartbleed demonstrate that there is risk and responsibility for all of us to protect the systems we have come to rely on.
Why has there been so little progress in securing OpenSSL and similar open source systems since Heartbleed appeared?
In my opinion, the issue lies within the very nature of open source software. OpenSSL is incredibly useful and has been adopted throughout the world, but how many people pay for OpenSSL, or donate time and money to keep it functional and secure? Not so many.
The OpenSSL Project does a great job finding and fixing vulnerabilities when they appear but in order to truly move the dial for Internet security, we need more investment.
Right now, the hands of the world’s online safety is in the hands of only a few coders working in small teams. That simply won’t do.
In April last year I wrote a blog highlighting a number of ways that we can all work together to improve the security of open source software.
Ultimately, it comes down to the fact that vulnerabilities will always exist; it’s up to all of us to take responsibility for our security.