Sign up for our newsletter
Technology / Cybersecurity

OpenSSL faces major security audit post-Heartbleed

OpenSSL is set to receive its first major security audit since the Heartbleed bug was uncovered last April, prompting a slew of patches from many of the biggest companies on the web.

The scheme is being paid for as part of the Linux Foundation’s Core Infrastructure Initiative fund worth $1.2m (£800,000), and will be conducted by the NCC Group’s Cryptography Services, which has recently investigated the security of TrueCrypt, an encryption service used by Edward Snowden.

A statement released by Cryptography Services said: "This audit had been mentioned before, absent details, but with the effort OpenSSL has been making we finally feel the codebase is stable enough to announce and undertake this now.

"OpenSSL has been reviewed and improved by the Academic community, commercial static analyser companies, validation organisations, and individual review over the years – but this audit may be the largest effort to review it, and is definitely the most public."

White papers from our partners

According to the auditors, the primary focus on the scheme will be the stacks of Transport Layer Security (TLS), a technology that was built to replace the security layer SSL.

"While the audit won’t cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL’s engineering and security," Cryptography Services added.

"This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the Summer after we coordinate with the OpenSSL team."

Other projects in the Core Infrastructure Initiative include an attempt to survey hundreds of open source projects in a bid to make the Internet more secure.


This article is from the CBROnline archive: some formatting and images may not be present.