Disclosed in April 2014, Heartbleed is the vulnerability gift that keeps giving to others. The latest example of this dynamic surfaced today when the Information Commissioner's Office (ICO), the UK's data regulator, levied a £100,000 fine against the Gloucester City Council for poor hygiene, which led to the theft of employees' personal information.
According to this article, hackers took advantage of a software flaw in Gloucester City Council's website to download more than 30,000 emails from the council's mailboxes, which contained financial and sensitive information about council staff.
ICO stated the hacker exploited the Heartbleed security bug within OpenSSL. But here's the problem for Gloucester City Council: a fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. The implication is that Gloucester and their IT outsourcing partner did nothing for months to patch the vulnerability, even though a fix was readily available. Thus, Heartbleed is taking £100,000 from the council more than three years after the fact.
ICO's report found that the council and its IT outsourcing partner were guilty of "serious oversight", which left staff's emails open to attack months after Heartbleed had been disclosed and patched. ICO's investigation found the council did not have sufficient open source governance controls to ensure that defective components are found and fixed as soon as possible whenever a zero-day vulnerability is announced. Heartbleed, therefore, is giving £100,000 to ICO coffers.
Companies today face tremendous pressure to innovate faster. Thus, demand for open source components is growing exponentially. In the Java ecosystem alone, developers requested 17 billion components from the Central Repository in 2014, 31 billion in 2015, and 52 billion in 2016. Demand for JavaScript components is even stronger. In 2016 developers requested 59 billion components from the npm registry -- a 262% year-over-year growth.
Truth be told, open source software components form the foundation for 80 - 90% of every modern software application. So, to prevent another zero-day vulnerability like Heartbleed from wreaking havoc -- enterprises are embracing new tools to automate open source governance and actively managing how components flow through their software supply chains.