SBN

DHS Calls for “Excellence in Software” in Log4j Report

 Interview with Mike Manrod, CISO, and Christian Taillon, IT Security Engineer at Grand Canyon Education

In December 2021, attackers began exploiting a critical, zero-day vulnerability in the popular open-source logging tool Apache Log4j that allows remote code execution on vulnerable servers.

Notably attackers immediately began leveraging the Log4j vulnerability to target SolarWinds and VMware servers, among other ubiquitous commercial applications. Fast forward to today and Log4j exploits are found in botnet packages, including IoT botnets in the case of Mirai, as well as ransomware, crypto miners, and other malware programs.

Recently, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) released a study on how the Log4j vulnerability has impacted the software supply chain. As stated in the report, “A vulnerability in such a pervasive and ubiquitous piece of software has the ability to impact companies and organizations… all over the world.”

The report’s first recommendation is to prepare to address Log4j issues for years to come. The report’s authors call for software providers to bake security into development processes by promoting increased investments in open-source software security, training, and community-based security initiatives. A critical recommendation that should not be overlooked is piloting and funding ongoing maintenance of open-source software, components, and libraries.

“Development organizations need to apply multiple tools early, such as binary scanning tools and static analysis, to know what’s in the software and being accumulated along the way. They should also think about how the product is being used and how that makes it vulnerable,” says Mike Manrod, CISO, at Grand Canyon Education (GCU). He and Christian Taillon, IT Security Engineer at GCU, are back on Shift Left Academy for a second time to discuss the short and long-term ramifications for commercial software developers base on the DHS report’s recommendations.

HubSpot Video

 

Resources related to this interview:

*** This is a Security Bloggers Network syndicated blog from Shift Left authored by Deb Radcliff. Read the original post at: https://shiftleft.grammatech.com/dhs-calls-for-excellence-in-software-in-log4j-report