A look back at Log4j shows fast reaction, slow remediation
December 7, 2022 – Published on IT Brew
When a security engineer in late 2021 discovered a vulnerability in the open-source Java-based logging framework known as Log4j, the response was swift. A fix was up for review five days after the November 24 finding, and the Log4j upgrade was available by December 10.
That’s prompt patch-making, but a number of organizations have taken a slower approach to deploying the update. Log4j is integrated into millions of computer systems, including ones used by governments, but many companies still lack asset-management and patch-testing practices that remediate the security threats caused by outdated versions of Log4j—or any outdated software, for that matter.
Software composition analysis tools help developers track the open-source components in an application. External attack surface management (EASM) products find external and internal-facing assets. A software bill of materials (SBOM)— a White House-recommended practice—provides a component inventory.
Security teams must connect with application developers about risks related to factors like who has access and if the service is publicly exposed, said Kristen Bell, director of application security engineering at the cybersec firm GuidePoint Security.
“You’re really reliant on a community to enhance and support those open-source components,” Bell told IT Brew.
Read More HERE.