Stop laying the blame for Heartbleed on open source

Simon Phipps | InfoWorld | April 14, 2014

Security experts acknowledge that open source is the best model for crypto, so how do we drive improvements to the model for creating security-critical infrastructure?

I've spent the last week considering the data and opinions concerning the Heartbleed bug that was found in the widely used OpenSSL cryptography library. OpenSSL is an open source project, so the occurrence of the bug has created an opportunity for many to decry the weakness of open source with shallow comments like: "The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development."

I disagree with this profoundly. As Eric Raymond points out:

[O]ne thing conspicuously missing from the downshouting against OpenSSL is any pointer to a closed-source implementation that is known to have a lower defect rate over time.

Fortunately the kneejerk attacks on open source have been few, with most opinions tempered by the observation that OpenSSL is widely used because it is broadly the right solution for most programmers needing a TLS library. But a more thoughtful article in Wired still lists a series of potential criticisms of open source which could equally apply to proprietary code in the same roles...