e-testing Blog

Heartbleed and the Testing of Open Source Software

HeartbleedIn April, Heartbleed made worldwide headlines as it became apparent that up to 17 percent of secure web servers and trusted authorities on the Internet were vulnerable to a major security flaw. Heartbleed refers to a security bug in the OpenSSL cryptography library, which is a common implementation of the Transport Layer Security (TLS) Protocol. As a result of the bug, private keys, user’s session cookies and passwords were vulnerable to being accessed by hackers.  

The BBC referred to the Heartbleed bug as one of the “biggest security issues to have faced the Internet to date.” The bug was an important wakeup call to web servers using open source software about the importance of software testing and mitigating the risks associated with protecting sensitive data. 

Heartbleed Shows the Importance of Software Testing

Heartbleed is a security vulnerability that has been formally identified as CVE-2014-0160. The vulnerability was independently discovered in late March and in early April although it had existed for years prior to discovery. The security bug was caused by a well-known general weakness that is classified as a buffer over-read (CWE_126). The Heartbleed bug was not inserted intentionally but occurred because one coder made a simple mistake while creating the open source code. 

Although the bug existed in the open source code for a long time, most widely-used static analysis tools were not able to find the vulnerability and dynamic analysis did not identify the problem because they cannot fully test any program in human-relevant timetables.  

Comprehensive software testing protocols could have identified the problem sooner. Heartbleed could potentially have been identified by fuzz testing, which is a process that involves generating pseudo-random inputs and sending the inputs to the program in order to see if something undesirable occurs. Thorough negative testing in test cases may also have been a potential solution for identifying the vulnerability.  Other potential approaches to testing the open source software that could have made a difference include context-configured source code weakness analysers; 100 percent branch coverage of alternative implementations; and aggressive run-time assertions.

OpenSSL, however, reportedly relies on an approximate £1,200 a year in donations as well as income from commercial work-for-hire contracts. There was no comprehensive testing plan in place and no mechanism to identify vulnerabilities despite the widespread use of the Open SSL cryptography library.     

Major technology companies have now pledged money to fund the Core Infrastructure Initiative according to the Washington Post, and companies will decide which open source projects to fund. OpenSSL is the first that will be funded and the money will be used to pay for security audits and infrastructure testing, among other things. 

Determining the type of software testing that is necessary for any given project can be difficult, and the process of conducting the most appropriate tests can often be time-consuming.  As a software testing consultancy, e-testing are able to help your organisation develop and conduct the necessary testing to reduce vulnerabilities and security risks.  


Subscribe to our RSS feed and get the latest updates in your inbox weekly