FYI: “The Impact of a Major Security Event on an Open Source Project:The Case of OpenSSL”
A recent paper looked at Heartbleed’s impact on OpenSSL: “The Impact
of a Major Security Event on an Open Source Project:The Case of
OpenSSL” by James Walden, 2020, https://arxiv.org/abs/2005.14242
Two interesting points:
* "the number of reported vulnerabilities is a poor indicator of
security." Basically, small numbers can mean "there's little to find"
OR "no one is looking.
* "Project activity and software engineering practices required by the
CII best practices badge may be better indicators of project
security.” They found that OpenSSL made a number of changes to earn
the badge, *AND* that those changes had stuck around years later.
Overall it's an interesting paper. They basically examine the OpenSSL
project before & after Heartbleed to see what they changed, and how it
changed their results.
It's nice to see the best practices badging project get positive comments :-).
--- David A. Wheeler
Director of Open Source Supply Chain Security, The Linux Foundation