If there's an upside to the whole Heartbleed debacle, it's that the media drew attention to an incredible disparity: the group that works on OpenSSL gets less than $2,000 dollars a year to maintain the open source security protocol that is used by two thirds of the Internet! Talk about a thankless task.
NPR reports that despite the fact that this software secures websites like Google and Amazon, these programmers get practically no money for the work they do on OpenSSL. To put things in perspective, a part-time fast food worker would make more money after working for about two months than OpenSSL makes for, you know, securing the Internet. Would you like fries with your data encryption?
Problem Solved? New Funding for Internet Infrastructure
ArsTechnica points out that not all open source projects face the lack of funding that plagues OpenSSL. HP, IBM, Intel, Oracle, Google, and Cisco all fund the Linux OS kernel. It appears that OpenSSL just fell through the cracks, and none of the major companies felt compelled to support it. Until now.
Thankfully, the Linux Foundation recently announced that it has worked with industry leaders to put together a $3.9 million fund, which it will use to support key open source infrastructure – including OpenSSL.
What Can IT Professionals Learn from the Heartbleed Bug?
OpenSSL says that there is only one person in the organization that works only on software. It's sobering to realize that two-thirds of the Internet's security depends on a guy who, in 2013, made less than a part-time fast food employee. Actually, "sobering" isn't the right word. "Terrifying" might be a better choice.
If you follow IT news, you've surely read about cases similar to Heartbleed, where one small error exposes millions of users' data. In our review of new mobile security strategies, "A Cure for Data Breaches," we point out how a duplicate line of Apple's iOS code accidentally exposed user data. The bug went unnoticed for 18 months. Apparently, even if you're paid like an Apple engineer (and not an OpenSSL volunteer), you can still make these mistakes.
Unfortunately, when a programmer commits these oversights, they can cause an IT employee who uses or recommends that program to be sued. Here's why:
- IT lawsuits for software flaws. Though it's impossible for you to know whether a product is perfectly secure, you can still be sued if a program causes a data breach on your client's network. You're professionally obligated to make sure that all software you recommend or oversee works well and securely for your clients.
- Judges don't understand software issues. If you're sued, you might have to face a judge and jury that doesn't know much about software. Imagine trying to convince a judge and jury (all non-techies) that you shouldn't be blamed for an open source software flaw. They may think you're trying to avoid blame and probably won't understand the technical details of your argument.
- Clients are often slow to upgrade to fix software flaws. In our article "Java Update Reveals Why Business Software Is More Vulnerable than Consumer Software," we point out that clients are often slow to update enterprise software because they tend to rely on older software, which creates problems when they upgrade.
Because of these three reasons, IT businesses are often exposed to data breach (and other IT-related) lawsuits. Fortunately, IT Errors and Omissions Insurance can cover lawsuits that arise from mistakes you've made or flaws in the software your clients use.
For a free quote on IT insurance, use our online insurance app.