Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Heartbleed: The Open Source Vulnerability that Keeps on Giving (and Taking)

June 12, 2017 By Matt Howard

Disclosed in April 2014, Heartbleed is the vulnerability gift that keeps on giving to some -- and taking away from others.  The latest example of this dynamic surfaced today when ICO, the UK's data regulator, levied a £100,000 fine against the Gloucester City Council for poor hygiene which resulted in the theft of employees personal information.

According to this article, the hackers took advantage of a software flaw in Gloucester City Council's website to download more than 30,000 emails from the council's mailboxes which contained financial and sensitive information about council staff.

ICO stated the hacker exploited the Heartbleed security bug within OpenSSL.  But here's the problem for Gloucester City Council, a fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.  The implication is that Gloucester and their IT outsourcing partner did nothing for months to patch the vulnerability -- even though a fix was readily available.  Thus Heartbleed is taking £100,000 from the council more than 3 years after the fact.

iStock-506009064.jpg

ICO's report found that the council and it's IT outsouring partner guilty of "serious oversight" which left staff's emails open to attack months after Heartbleed had been disclosed and patched.  ICO's investigation found the council did not have sufficient open source governance controls to ensure that defective components are found and fixed as soon as possible whenever a zero day vulnerability is announced.  Haertbleed, as a result, is giving £100,000 to ICO coffers.

Companies today face tremendous pressure to innovate faster.  Thus, demand for open source components is growing exponentially.  In the Java ecosystem alone developers requested 17 billion components from the Central Repository in 2014, 31 billion in 2015, and 52 billion in 2016.  Demand for JavaScript components is even stronger.  In 2016 developers requested 59 billion components from the npm registry -- a 262% year-over-year growth.

Truth be told -- open source software components form the foundation for 80 - 90% of every modern software application.  So, in order to prevent another zero day vulnerability like Heartbleed from wreaking havoc --  enteprises are embracing new types of tools to automate open source governance and actively managing how components flow through their software supply chains.

Tags: #OSSsecurity, heartbleed

Written by Matt Howard

Matt is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies, at Sonatype, he leads corporate marketing, strategic partnering, and demand generation initiatives.