The director of the Cybersecurity and Infrastructure Security Agency today warned that the Log4j flaw could aid the nefarious activity of criminals and foreign governments for months or years to come, and voiced concern about long-term risks to networks that control U.S. critical infrastructure.

<p>Log4j is a good reminder of how vulnerable today\’s organizations are to attacks on the software supply chain. Third party software purchased through the supply chain should have just as much security review as internal applications, and how seriously a vendor implements security in their product should become a standard part of the buying process.</p>
<p>The challenge with the Log4j flaw is that new variants of the original Log4j vulnerability are being discovered and each one of them requires a new patch. Also, organizations may not be able to take down all the servers at once for patching. Ideally, organizations should consider an application runtime security solution which eliminates the urgent need for patching against new vulnerabilities like Log4j, and gives organizations time to methodically schedule patches.</p>