Now that the fury about OpenSSL is gone, and that we realize first it was not that critical (only 7% of the web sites seemed to be at risk, not two third), and second that it could have been used for two years, but we don't know if it has been (we are waiting for a new Snowden), we can think about what the lessons we can get from this tragic episod.
There are a few, IMHO.
1) OpenSSL is a group of 17 persons, all volunteers. I'm not sure that all of them are active. This is a small bunch of people, for a software that is used at wild. Do people realize that most of the components they are using daily, that they *trust*, are written by such a few developpers?
What if the group decides it's enough ? That family is more important than spending hours on debugging some code, on testing it, and on documenting it ? All of that for the simple feeling of writing good, useful code ?
2) It took 2 years, 2 freaking years, before a company called Google was able to find the issue. What does that mean ? Simply that companies like Yahoo!, which were one of the big IT companies being hit hard by the HeartBleed bug, just didn't do their due diligence.
It's insane to think that those companies are spending BILLIONS of $ buying crappy other companies, trying to improve their load of turd^H^H^H social tools, when they are too cheap to spend a few hundred of thousands dollars to get some expert looking at the code they are using.
Shame on them.
3) Low level components are just left alone. Those days, it's all about the big frameworks, nobody cares about the bricks that are at the very base of our IT.
And that scares the shit out of me, as it should scare any one of you.
We are all expecting that the bricks we are using every day are safe. We are ignoring the risks we are taking, just because we can't check everything. But again, when you look at the commits, you realize you are depending on very few people...
Bottom line : we are building castles in the sand. And I don't even know how we could do any better...