In an effort to stop the next Heartbleed, a group of tech giants have joined forces to fund critical open source projects known as Core Infrastructure Initiative. The Heartbleed bug was a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allowed stealing of the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging (IM) and some virtual private networks (VPNs).
The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions. The Core Infrastructure Initiative’s first task will be OpenSSL, which fell prey to Heartbleed and caused panic across the Web.
The Core Infrastructure group will work with an advisory board of esteemed open source developers to identify and fund open source projects in need. Support from the initiative can include funding for fellowships for key developers to work full time on the open source project, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
Essentially, organization members – which include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation – will invest in open-source projects to make sure they get off the ground and are as secure as possible.
“We are expanding the work we already do for the Linux kernel to other projects that may need support, our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL,” said Jim Zemlin, executive director of The Linux Foundation.
Heartbleed was one of the worst Internet flaws ever uncovered. The maintenance of the software, which secures around two-thirds of the world’s websites, was done by a group of volunteers with very little funding. The new group set up by the Linux Foundation has a dozen contributors and has so far raised around $3m.
Here are the official statements by Founding Members of The Core Infrastructure,
Amazon Web Services : “Open source software is important to organizations like AWS that deliver secure Internet experiences and services for customers,” said Steve Schmidt, Chief Information Security Officer, Amazon Web Services, Inc. “We are pleased to be part of the Core Infrastructure Initiative and to work with the Linux Foundation to foster continued innovation and security in key open source projects that can benefit us all.”
Cisco : “By creating the Core Infrastructure Initiative, the Linux Foundation has once again stepped up to the challenge of supporting open source projects at the heart of today’s Internet,” said Colin Kincaid, VP Product Management and Architecture, Cisco. “Supporting dedicated open source collaborators and contributors is vital to the success and growth of innovation.”
Dell : “Protecting and supporting the work of open source developers and the projects that provide the underpinning of the world’s technology infrastructure is of the highest priority,” said Don Ferguson, Software CTO and Sr. Fellow, Dell. “The Core Infrastructure Initiative gives the industry a way to do this effectively. We are proud to be involved in this very important work.”
Facebook : “Open source software makes today’s computing infrastructure possible. Facebook is excited to support these projects and the developers who maintain them. This initiative will help ensure that these core components of internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale,” said Doug Beaver, Engineering Director of Traffic & Edge, Facebook.
Fujitsu : “In the nearly two decades that Fujitsu has actively supported Linux, we have gained an understanding that open source software is an essential element of today’s computing infrastructure,” said Takashi Fujiwara, Head of Platform Software Business Unit, Fujitsu Limited. “We are keen to participate in the Core Infrastructure Initiative as it will enable us to more easily support critical open source projects and key developers of the world’s most important code.”
Google : “Google has been a longtime supporter of the Linux Foundation and open source in general, so we’re proud to join the Core Infrastructure Initiative. We believe that an open-source approach to online security will ensure that code is constantly improving, making the web a safer place for us all,” said Chris DiBona, Director of Engineering for Open Source at Google.
IBM : “The Linux Foundation is well positioned to manage this initiative to improve security for the open source community,” said Hira Advani, IBM Software Group Chief Security Compliance Officer. “IBM has a long history of supporting open source standards and thousands of IBM researchers, programmers and engineers around the world are contributing to this community. We look forward to working with the foundation and other founding members of the Core Infrastructure Initiative to better enable the open source community to meet the evolving needs of businesses and governmental organizations.”
Intel : “Intel is committed to support the development of open source technology and Linux,” said Imad Sousou, Intel vice president and general manager of the Intel Open Source Technology Center. “As an active and long term contributor to open source community, Intel believes the Core Infrastructure Initiative can help provide long term, sustainable support to Linux, the world’s most important open source standard.”
Microsoft : “Security is an industry-wide concern requiring industry-wide collaboration. The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services.” – Steve Lipner, partner director of software security, Microsoft.
NetApp : “We are pleased to support the important and timely Core Infrastructure Initiative, along with our industry partners,” said Dan Neault, Senior Vice President, Datacenter Solutions, and NetApp. “Computer security is of paramount importance to our industry, and our participation reflects NetApp’s commitment to the open source community and the software that we each rely on every day in our business and personal lives.”
Rackspace : “We believe the Core Infrastructure Initiative will improve the security of the Internet,” said John Engates, CTO, and Rackspace. “Open source code powers everything we do online. We look forward to working with the Linux Foundation, our other company partners, and the open source community to make sure these projects get the support they need.”
VMware “The Core Infrastructure Initiative is critical. The new model of computing involves a set of choices for customers – on premise, off premise, hybrid – and we must ensure the safety and security across all of those environments,” commented Ray O’Farrell, senior vice president, Cloud Infrastructure R&D, VMware. “We welcome the opportunity to support and contribute to the success of open source and are eager to participate in the Core Infrastructure Initiative.”