Researchers will launch a huge independent audit of OpenSSL security as a part of a wider push by the Linux Foundation to improve open source projects' cyber defences.
The audit will be carried out by Cryptography Services and is part of the Linux Foundation's Core Infrastructure Initiative.
Cryptography Services is a wing of the NCC Group that includes researchers from iSEC Partners, Matasano Security, Intrepidus Group and NGS Secure.
Cryptography Services said that the audit is one of the biggest in history and will offer a definitive analysis of OpenSSL's current security levels.
"This audit may be the largest effort to review [OpenSSL] and is definitely the most public," wrote the group in a public statement.
The tests will reportedly see the researchers run a series of checks, including penetration tests, on OpenSSL.
"The audit's primary focus is on the Transport Layer Security [TLS] stacks, covering protocol flow, state transitions and memory management," explained the group statement.
"We'll also be looking at the BIOs, most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers."
The audit follows widespread concerns about OpenSSL's security that spiked in 2014 when the Heartbleed bug was discovered.
Heartbleed is a flaw in the OpenSSL implementation of the TLS protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.
Cryptography Services said that the audit will help to spot and fix bugs like Heartbleed before they become a problem, and expects the project to begin yielding results later this year.
"While the audit won't cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL's engineering and security," read the statement.
"This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the summer after we coordinate with the OpenSSL team."
The news has been met positively by the security community. TK Keanini, CTO at Lancope, told V3 that the audit is a great step forward for security research and should act as an example to other open source projects.
"Not only is this a good thing, but it needs to continue to be a good thing. This can't be a point in time, but a process that continues on an ongoing basis. And let's begin to look at other critical libraries and put the same rigour around it," he said.
Jared DeMott, principal security researcher at Bromium, said that the audit will help to improve numerous industries' cyber defences.
"It's nice that a big pen-test group like NCC is going to help the greater community by auditing security-critical open source code," he said.
"There are a lot of commercial projects that leverage open source and rarely give back, so I'm in favour of this type of expert time donation.
"Certainly this effort will not solve such a complex social and technical issue as security and cyber crime, but every bug fixed helps."
The project follows widespread reports that it is only a matter of time before a new Heartbleed-level flaw is found.
Canonical vice president Maarten Ectors told V3 earlier this month that the nature of software development means that critical security bugs on a par with Heartbleed will inevitably appear in the near future.
In fear of future shortage - or in preparation for its own electric car project?
New Spectre microcode patches released by Intel to fix security flaws in Skylake, Kaby Lake and Coffee Lake CPUs
But if you're running anything older you'll have to wait
Powered by servers based on Qualcomm's scalable 48-core Centriq 2400 10nm CPUs
Malware has been in circulation for more than a year