A massive OpenSSL Security Audit funded by Linux Foundation

NCC Group will audit OpenSSL and TLS implementation to avoid Heartbleed-like vulnerabilities.

The conducting team

This mid-spring was launched the greatest security auditing of the OpenSSL and it will continue probably, until the summer. This audit is paid by Linux Foundation’s Core Infrastructure Initiative and has its coordination from the NCC Group’s Cryptography Services, which is an outstanding worldwide data assurance company.

This is a public audit conducted on an open-source piece of software with no precedent and requires a big effort to accomplish it. According to Open Hub (www.openhub.net), the current project has 447.247 code lines written in 14 programming languages. OpenSSL is developed, upgraded and reevaluated by a different fields’ people team, from academic area to individual developers. The most considerable and public review of this open-source piece of software will pass for the first time.

Plan of actions

During a considerable period of months, as a result of the collaboration between Cryptography Services, OpenSSL team and Open Crypto Audit Project an action plan was developed for the auditing.

It were emphasized the essential parts of the code which shall be included in the audit while the others shall not. The auditing team shall use both automatic and human sides simultaneously.

The audit’s coordinating team will aim its attention among other, at the TLS, memory handling and cryptographic algorithms.

This investigation is a part of the promoted strategy followed by the Linux Foundation, the OpenSSL team and Linux Foundation’s Core Infrastructure Initiative in order to determine and correct the omissions of the open-source and web-security protocols implementation.

The outcome results

This kind of auditing is costly, while it does not assure to uncover all the problems in the code. The outcome results of the audit will be applied on the OpenSSL and on the SSL/TLS scheme, like OpenBSD’s LibreSSL.

The audit’s conducting team proposed themselves not only to fix the OpenSSL issues, but also to present test cases for a larger others’ use in existing codes, new computer programs and open-source programs as well as to improve the Internet security.

This is essentially important to ensure the end-users’ online security in the world of frequent bad-intended people and malware attacks.