HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 2 MINUTES AGO.
You are here: Home / Data Security / Fund Seeks To Head Off Heartbleeds
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Tech Giants Fund Initiative To Prevent Future Heartbleeds
Tech Giants Fund Initiative To Prevent Future Heartbleeds
By Barry Levine / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
24
2014
Can more funding prevent Heartbleed vulnerabilities in future open-source software? A new Core Infrastructure Initiative at the Linux Foundation is attempting to find out.

More than a dozen major technology companies are backing the project. Participating firms will contribute $100,000 each per year for three years to the foundation. At launch, supporters include Google, Microsoft, Amazon, IBM, Facebook, Dell, Cisco, Intel, Rackspace and Fujitsu. A total of $4 million has reportedly been raised so far.

On its Web site, the Foundation said the project, "inspired by the Heartbleed OpenSSL crisis," will fund those Linux-based open source projects that the organization considers on the critical path for core computing capabilities.

Steering Group, Advisory Board

The widely used OpenSSL certainly qualifies on that score, since it is employed for the secure transmission of passwords and other data. A major flaw -- which allowed the encryption to be broken without leaving a trail -- was made public on April 7, two years after the error was inadvertently written into OpenSSL.

Overseeing the funds will be the foundation and a steering group, the latter which will consist of representatives from the tech companies, key open-source developers and others. The committee will select projects and developers, approve funding, oversee project roadmaps, and work to add additional members. There will also be an advisory board of key developers and industry stakeholders.

The funds are expected to be used for fellowships for key developers to devote their full-time efforts to the designated open-source project, as well as for security audits, computing and test infrastructure, travel, face-to-face meeting coordination, and other expenses. For the OpenSSL project, funds will also be used to improve responsiveness to patch requests.

'Smart and Not Too Late'

The foundation noted in an FAQ on its Web site that the shared code used in some open-source projects had "not received the level of support commensurate with their importance."

As an example, it noted that the OpenSSL project has, in past years, "received about $2,000 per year in donations." Although open source can produce "high-quality and highly secure software," the foundation said, there is an increased need for developer support because of the increased complexity of the software and the required interoperability with complex systems.

The foundation has previously been supplying funds for developers, including Linux creator Linus Torvalds, to similarly take care of the core Linux kernel. The initiative will be looking to help developers and existing open-source projects and communities, like the ones that have evolved around OpenSSL.

Al Hilwa, program director for Application Development Software research at IDC, told us that the Initiative was "smart and not too late." He added that it was "savvy of the foundation to put more resources into this," given that "what's needed is a good analysis of the code."

He added that, while "open source got a black eye [with Heartbleed], stuff like this happens in proprietary software as well," but we don't always hear about it.

Tell Us What You Think
Comment:

Name:

AuditThemAll:
Posted: 2014-04-24 @ 4:09pm PT
A good step in the right direction! While the relationship between money and quality is not linear, if $2000/year gets us OpenSSL as we know today, imagine what $200,000/year will get. Now it is important to keep the effort focused. Security audits, that's what the money should be spent on, and not only audit of Linux, or of Open Source software. if the proprietary guys open up to formalized audits, we will all be better off.

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
High Quality CRM Data: Prevent, detect and fix errors at the point of data entry for Dynamics CRM. Trillium Software helps you achieve an accurate, synchronized, single view of customers. It's time to trust your data. Take a product tour and read CRM Analyst opinions here.
MORE IN DATA SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.