Call for more specialist code reviewers after new OpenSSL vulnerability found
University of Ulster's Kevin Curran tells Computing that code reviewers need to think like hackers
Further critical vulnerabilities have been found in the OpenSSL web encryption standard – which was at the centre of the recent Heartbleed scare – leading one expert to call for better review practices surrounding open source code.
Heartbleed was found to allow "anyone on the internet" to read the memory of systems protected by "vulnerable versions" of OpenSSL, without even leaving a trace that they were there.
Now a new flaw in the code could potentially be used to snoop on people's communications, leading Tatsuya Hayashi, one of the researchers who discovered the bug, to describe it as possibly "more dangerous than Heartbleed".
Google, Facebook, Yahoo and Amazon are among the major technology firms that use OpenSSL. The error in the code was discovered during work to secure it against the Heartbleed bug.
The latest OpenSSL vulnerability has existed since 1998, undetected by the full-time and voluntary developers working on the code for 16 years.
The fact that the vulnerability was left for so long without being discovered led Kevin Curran, senior member of IEEE and senior lecturer in computer science at the University of Ulster, to call for more guidance over review practices for the open source code.
"What this latest flaw illustrates again is the need for specialised code review practices to be in place. Of late there has been momentum towards establishing software building codes and enforcing these codes with an army of unpaid inspectors, but that may be a long way into the future, if at all," he told Computing.
Curran also called for those reviewing the code to have a good understanding of the type of vulnerabilities a hacker looks for.
"The ‘many eyes' phenomenon where it is believed that the more people who look at code, the more likely that bugs will be identified is also showing itself to be a flawed model," he said.
"OpenSSL is open source, so this flaw here has been in open source code for over 15 years. What it does show, is that those who inspect code for flaws must understand the actual code, protocols used and then step back and look at it through a hacker's eyes.
"This vulnerability arose because the researcher understood the protocol handshake and surrounding fix added by OpenSSL and identified the weakness," Curran added.