A Case Study: Heartbleed Vulnerability Management and Swedish Municipalities

In Sweden, the use of open source software (OSS) in public sectors has been promoted by the government in recent years. A number of Swedish municipalities forms interest communities to share OSS information and work together with OSS issues. However, it lacks of studies and evidences that these municipalities have adequate routines for managing warnings and advices from the communities on OSS security incidents. The Heartbleed vulnerability that occurred in April 2014 was a sudden case for these municipalities to take remedial actions to protect their information assets in a timely manner. This work aims to take a socio-technical study of how Swedish municipalities utilizes information channels to handle the OSS security incident and their security posture before, during and after the incident. We conducted a case study for Heartbleed incident management in Swedish municipalities, where three municipalities located in different regions of the country were studied. This study used a qualitative research method combining with Security-by-Consensus (SBC) analytical model as a research paradigm for data collection, and processing and analysis. The result suggests that the socio-technical aspects of open source security should be taken into account in Swedish municipalities for OSS adoption and security incident management.

[1]  Tudor Dumitras,et al.  Analysis of SSL certificate reissues and revocations in the wake of heartbleed , 2014, Internet Measurement Conference.

[2]  Sandro Morasca,et al.  Surveying the Adoption of FLOSS by Public Administration Local Organizations , 2015, OSS.

[3]  Stewart Kowalski,et al.  Secure e-government services: Towards a framework for integrating it security services into e-government maturity models , 2011, 2011 Information Security for South Africa.

[4]  Ilia Bider,et al.  A Framework for Synchronizing Human Behavior, Processes and Support Systems Using a Socio-technical Approach , 2014, BMMDS/EMMSAD.

[5]  Björn Lundell,et al.  Open source in Swedish companies: where are we? , 2010, Inf. Syst. J..

[6]  Lakshmanan Ramanathan,et al.  A Qualitative Study on the Adoption of Open Source Software in Information Technology Outsourcing Organizations , 2015, OSS.

[7]  Carl Andersson Öppen källkod inom kommuner - Analys av risker och möjligheter , 2014 .

[8]  Chen Liu,et al.  Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability , 2016, HASP 2016.

[9]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[10]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[11]  Chonho Lee,et al.  A Wavelet Entropy-Based Change Point Detection on Network Traffic: A Case Study of Heartbleed Vulnerability , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[12]  S. Kowalski,et al.  Secure e-Government Adoption: A Case Study of Tanzania , 2011 .

[13]  Nikolai Kosmatov,et al.  Combining Static and Dynamic Analyses for Vulnerability Detection: Illustration on Heartbleed , 2015, Haifa Verification Conference.

[14]  Donald R. Cooper,et al.  Business Research Methods , 1980 .

[15]  Stewart Kowalski,et al.  Towards An Information Security Maturity Model for Secure e-Government Services: A Stakeholders View , 2011, HAISA.

[16]  Stewart Kowalski,et al.  A Socio-technical Framework for Threat Modeling a Software Supply Chain , 2015, IEEE Security & Privacy.