Forget Heartbleed, remember testing

An unoriginal idea to fight the next Heartbleed bug


A few weeks have passed since the discovery of the Heartbleed bug. Everyone talked about it, patches were installed, passwords were reset, announcements were made. Eventually, life went on. It’s a bad dream now, a bad dream from the past, nearly forgotten.

Until it happens again.

It will happen again, that’s for sure. It will affect another service, another library, more or less widespread, with bigger or smaller effects. When the history repeats itself, everyone will remember the Heartbleed bug again. Some will say that we haven’t learned anything from it, and it will be true.

It will be true, unless we do our best to prevent the next Heartbleed. Let me share with you a single idea that might help. It’s not the only possible idea and it’s probably unoriginal and obvious, so I don’t claim any credit for it, nor I want to. I just want to prevent the next Heartbleed.

Testing discovered Heartbleed. Regular testing routines from two different organisations caught it. The type of routines that the OpenSSL project can’t afford given its open-source and low-funding traits. It’s a shame that these routines didn’t happen or succeed earlier, but I’m glad they did. Better late than ever.

Why did these organisations succeed? Easy, because they were looking. They kept looking after the rest stopped doing so, after the rest assumed everything was fine. Things are not fine. Things are never fine. It is just that we haven’t found what’s wrong with them, yet.

Keep looking, keep testing, help open-source projects get better and frequent testing. Testing is not infallible, it won’t prevent the next Heartbleed from happening, but at least we would have tried harder this time.