News and Notes from the Makers of Nexus | Sonatype Blog

Heartbleed: The open source vulnerability that keeps on giving (and taking)

Written by Matt Howard | June 12, 2017

Disclosed in April 2014, Heartbleed is the vulnerability gift that keeps on giving to some and taking away from others. The latest example of this dynamic surfaced today when the Information Commissioner's Office (ICO), the UK's data regulator, levied a £100,000 fine against the Gloucester City Council for poor hygiene which resulted in the theft of employees personal information.

According to this article, the hackers took advantage of a software flaw in Gloucester City Council's website to download more than 30,000 emails from the council's mailboxes which contained financial and sensitive information about council staff.

ICO stated the hacker exploited the Heartbleed security bug within OpenSSL. But here's the problem for Gloucester City Council: a fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. The implication is that Gloucester and their IT outsourcing partner did nothing for months to patch the vulnerability even though a fix was readily available. Thus Heartbleed is taking £100,000 from the council more than three years after the fact.

ICO's report found that the council and it's IT outsourcing partner guilty of "serious oversight" which left staff's emails open to attack months after Heartbleed had been disclosed and patched. ICO's investigation found the council did not have sufficient open source governance controls to ensure that defective components are found and fixed as soon as possible whenever a zero-day vulnerability is announced. Heartbleed, as a result, is giving £100,000 to ICO coffers.

Companies today face tremendous pressure to innovate faster. Thus, demand for open source components is growing exponentially. In the Java ecosystem alone developers requested 17 billion components from the Central Repository in 2014, 31 billion in 2015, and 52 billion in 2016. Demand for JavaScript components is even stronger. In 2016 developers requested 59 billion components from the npm registry -- a 262% year-over-year growth.

Truth be told -- open source software components form the foundation for 80 - 90% of every modern software application. So, in order to prevent another zero-day vulnerability like Heartbleed from wreaking havoc -- enterprises are embracing new types of tools to automate open source governance and actively managing how components flow through their software supply chains.