It’s the Log4Shell anniversary. Somehow, about a third of Log4j downloads are still of the vulnerable version. Why is that? And what is the IT industry doing wrong? What can organisations do?
The Log4j vulnerability, one year later, shines a light on a lack of open source governance and visibility that still needs addressing across many organisations. This issue isn’t going away, and if it isn’t Log4j, it will be something else if companies don’t get their software supply chains in shape.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Log4j was a stark reminder of the critical importance of securing the software supply chain. It was used in virtually every modern application and affected organizations’ services across the globe. One year on from the Log4Shell incident, the situation remains grim. According to our data, 30-40% of all Log4j downloads are of the vulnerable version, despite that a fix was released within 24 hours of the vulnerability’s premature disclosure.
“It’s imperative that organizations recognise most of the risk involved with open source lies with consumers, who must employ best practice instead of blaming flawed code. Log4j is not an isolated incident – 96% of vulnerable downloads of open source components had a fixed version available.
“Organizations need better visibility of every component being used in their software supply chains. This is why quality software composition analysis solutions are so important today as the world contemplates how SBOMs will help in the future. UK and European policy on software should require commercial consumers of open source to be able to do the equivalent of a targeted recall, just as we expect from physical goods manufacturers like the auto industry. Across-the-board visibility will confer additional benefits for organizations like the ability to make portfolio-wide decisions to invest or divest in certain technologies, and to reduce the potential scope of impact.”
“Hackers and cybercriminals are getting smarter and more creative in the ways they’re spreading malware and vulnerabilities via legitimate avenues like Github, Discord, and package registries. However, I am optimistic organizations will continue to take proactive action to protect themselves against potential attacks. The U.S is heading in the right direction with government advisories like the recent NSA and CISA guidance – the UK, Europe and Asia must follow suit.