'Robust' code checking helps protect OpenStack from Heartbleed-style security snafu, says OpenStack Foundation

Juno code checked 2 million times before release

Heartbleed

Open source cloud OS OpenStack is at a reduced risk of a Heartbleed-style security incident due to its community's "robust system" for identifying errors in contributed code, according to the OpenStack Foundation.

The Heartbleed Bug is a serious flaw in the open source OpenSSL security protocol that allows attackers to expose the information of people visiting websites running on affected servers. It was created following a coding error by a German developer.

Speaking to TechRadar Pro at the OpenStack Summit in Paris, foundation executive director Jonathan Bryce said that the OpenStack testing system ran two million tests on code in the six-month release cycle leading up to the launch of Juno, the 10th and latest version of the platform.

He said: "Heartbleed was a very big vulnerability. The team that's responsible for OpenSSL has really smart guys, but they didn't have a huge support network around them, the type that allows you to dedicate the resources you need. On the other hand, OpenStack has a massive community and a dedicated security team, along with companies that spend millions of dollars to test and develop on it.

"From the foundation's perspective, we make sure that we help to put the frameworks and systems in place to keep those groups operating, functioning and sharing information."

Check point

According to Bryce, every piece of code contributed toward OpenStack goes through a set of automated tests before being reviewed by experienced developers called core reviewers who are elected by their OpenStack peers.

He continued: "Following automated tests, two core reviewers have to approve the contribution (or patch), which then re-enters a testing environment to check that nothing has changed in the time that it has been reviewed. If that all works then it finally enters the source tree.

"It's a very robust system and a really cool process that anybody can see happening online in real-time on our website if they want to."

Article continues below