David A. Wheeler has written a lengthy article delving into why Heartbleed was not found sooner and how similar vulnerabilities can be prevented in the future. "There are several approaches that could have found Heartbleed, and vulnerabilities like it, before the vulnerable software was released. This is not a ding on the OpenSSL developers; they appear to have worked hard to reduce the number of vulnerabilities, including multi-person review and the use of various tools. Instead, this is an effort to help identify what could be better, so that OpenSSL and other important projects can prevent future similar vulnerabilities."
April 30, 2014
Wheeler: How to Prevent the Next Heartbleed
Read more at LWN