Unless you’ve been living under a rock for the last couple of days you will have noticed a bit of a kerfuffle about a vulnerability in OpenSSL. One of the more notable parts of this story has been the wide variety of large companies who have been seriously affected by the problem.
This led me to thinking about the fact that a lot of very large profitable corporations are essentially relying on software that they haven’t purchased and which, I doubt, many of them have good security assurance over.
First Question how many billion dollar companies rely on openssl for secure communications?
Second question how many of those same companies have sponsored a security review of openssl over the last two years?
Now I don’t know the exact answer to either of these questions, but I’m willing to wager that the first is a lot higher than the second.
The real question then becomes, should corporations who rely on open source software be taking an active part in ensuring the security of that software?
Well I’m a security guy so obviously is say yes :-) it seems obvious that if you rely on things you have an interest in the quality of that software…