Software Update as a Mechanism for Resilience and Security Proceedings of a Workshop (2017) / Chapter Skim
Currently Skimming:
4 Update Issues for Open Source Software
4 Update Issues for Open Source Software
Pages 24-29
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 24... ...
CII was created after the 2014 Heartbleed bug found in OpenSSL, which left approximately 70 percent of the HTTPS services on the Internet vulnerable to security breaches of sensitive information. The Heartbleed bug was eventually patched, but 7 percent of Internet servers today are still vulnerable to Heartbleed, despite the fact that the patch was released 3 years ago and was considered a critical security vulnerability.
|
From page 25... ...
In addition to supporting outside projects and providing training, CII also builds its own programs to develop more secure software and to improve security practices across the Internet, both for software they consider to be core infrastructure and for open source projects generally, because, as van Someren noted, "We don't necessarily know what will be core infrastructure in a few years' time." As an example, he pointed to the fact that Node.js (a platform for building network applications) is the most active open source code used right now, although 5 years ago no one would have predicted that JavaScript would be so widely used in this context.
|
From page 26... ...
longer for the Open-source software is not one monolithic entity, and it is deeply embedded across commercial open-source software, numerous operating systems, and other crucial products, making the challenges of open-source community software updates both diverse and pervasive. There is no one-size-fits-all solution, van Someren said, "because to respond to pretty much every project has its own unique way of doing things." vulnerabilities.
|
From page 27... ...
In the discussion, Forum Chair Fred Schneider reiterated the sense that fear of system destabilization is a main reason users may ignore updates. Van Someren noted that several Linux distributions do offer rollbacks if an update causes destabilization.
|
From page 28... ...
In the discussion, Bob Blakley, CitiGroup, Inc., delved deeper into how companies could potentially be convinced to get on board with the idea of code escrow. Noting that the Dodd-Frank bill required financial institutions to set aside capital in case of emergencies, he speculated that regulations requiring software firms to escrow code on the basis of public interest might be worth considering.
|
From page 29... ...
The best outcome, in van Someren's view, would be to get the industry's buy-in on such a program before approaching the Federal Trade Commission and asking it to "put some teeth behind it." One other possible mechanism for protecting consumers from the dangers of outdated IoT devices, van Someren suggested, is to take advantage of what's known as a watchdog, a system configured to detect critical failures and trigger a complete reset of the system. In this vein, software updates could be seen as "food to feed the watchdog," allowing a device to maintain its Internet connectivity.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.