Heartbleed Prompts Open Source Donation From Cisco, Other Tech Giants


At least a dozen technology firms have agreed to donate millions to the Linux Foundation to fund core infrastructure improvements beginning with bolstering OpenSSL, the messaging protocol that contained the Heartbleed vulnerability

The tech firms agreed to make a $3.6 million investment over the next three years, a spokesperson for the organization told CRN on Thursday. The multiyear funding project begins with a dozen founding backers, including Amazon Web Services, Cisco Systems, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware. The founding members each committed to making a $100,000 payment over the next three years.

"There is no decision on how much OpenSSL or any other project will receive," the spokesperson said.

[Related: Five Essential Facts About Heartbleed And OpenSSL]

The companies were prompted to donate to the organization over the fallout from the Heartbleed vulnerability, a critical issue that sent IT teams scrambling to patch open source web servers and other systems. Technology firms are still issuing updates for potentially millions of networking devices that contained the flawed data security protocol.

The organization called the funding a significant improvement and much-needed injection of funds to help speed improvements. In previous years, the OpenSSL project has received about $2,000 per year in donations for support. The serious coding error associated with the Heartbleed flaw was in the protocol for two years.

The funding will be used to support fellowships for developers to work full time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support, the organization said. The Linux Foundation will administer the funds along with a steering group comprised of backers of the project, the organization said. Key open source developers and other industry stakeholders also will be involved.

"We are expanding the work we already do for the Linux kernel to other projects that may need support," said Jim Zemlin, executive director of The Linux Foundation, in a statement. "Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full time supporting other essential open source projects."

The Heartbleed bug was discovered in a variety of networking gear, including Cisco Systems and Juniper. Solution providers told CRN that they have been working with clients to check their systems for the flaw. Researchers at Mandiant uncovered the error in commercially available VPN appliances and detected a way to bypass two-factor authentication, a finding that is concerning, said Justin Kallhoff, CEO of Lincoln, Neb.-based network security systems integrator Infogressive.

"You don't want an attacker being able to hijack a VPN session in any organization," Kallhoff said. "They'll look like a legitimate user unless unusual activity is detected."

Infrastructure, platforms and communication systems are significantly increasing in complexity and many systems suffer from an architecture design that relies on bolting on security, said John N. Stewart, senior vice president and chief security officer of Cisco. Speaking at the Bloomberg Enterprise Summit on Thursday, Stewart said high-profile data breaches and security issues, such as the critical OpenSSL flaw, have prompted board-level discussions about information security at many organizations.

"I think that they are expecting that if they get breached, they are going to be prompted to discuss it," Stewart said.

Also speaking at the summit, Mark Roenigk, chief operating officer at Rackspace, said he's seen a significant number of businesses considering adopting its cloud services, concerned about security and asking questions about transparency and underlying processes. Data security is a top concern, with firms choosing to adopt stronger security measures around core financial data and other sensitive information, he said.

"You have to have a base level of security," Roenigk said. "Typically, an enterprise customer will have their mission-critical, internal ERP systems in a dedicated customer environment."

PUBLISHED APRIL 24, 2014