Sat. Jan 22nd, 2022

Such problems can disproportionately affect small and medium-sized businesses, he says-and make it impossible to fix easily. Sonatype analysis It was found that about 30 percent of the cost of Log4j comes from a potentially weaker version of the tool. “Some companies haven’t received the message, have no materials, and don’t even know where to start,” Fox said. Sonatype is one of the companies that provides a scanning tool to detect the problem, if it exists. One client told them that without it, they would have to send an email to the 4,000 application owners with whom they work to find out individually if they were affected.

Part of the issue, of course, is the business’s over-reliance on open source, free software created and maintained by a small, over-expanded team of volunteers. Log4j’s problems are not the first – Heartblood bug that destroyed OpenSSL in 2014 A high-profile example of a similar problem — and never ending. Brian Fox, chief technology officer at Sonatype, a software supply chain management and security expert, said, “We wouldn’t buy products like cars or food from companies that have really terrible supply chain practices. “Yet we’re doing it all the time with software.”

Companies that know they use Log4j and have a fairly recent version of the utility have nothing to worry about and nothing to do. “That’s the decent thing to do, and it should end there,” Fox said.

The problem arises when companies don’t know they’re using Log4j, because it’s used in a small portion of an in-app or tool, they have no control over them, and don’t know how to start looking for it. “It’s understandable that the iron ore got into the steel that got into your car’s piston,” Glass said. “As a consumer, you have no chance to find it.”

The weakness of Log4j, in a software library, makes it difficult to remedy, Moussouris says, because many companies have to wait for software providers to patch it – something that can take time and testing. “Some companies have highly technically skilled people who can do various mitigation tasks while waiting, but basically, most companies rely on their vendors to create high quality patches that include updated libraries or updated components in that package,” he said.

Yet large and small companies around the United States and around the world need to move, and faster. One of them was Sterling Bank, a UK based Challenger Bank. Since its systems were originally built and coded in-house, they were able to quickly detect that their banking systems would not be affected by the Log4j vulnerability. “However, we also know that the third-party platforms we use, and the library-derived code we use to integrate them, have potential vulnerabilities,” said Mark Rampton, the bank’s head of cybersecurity.

Was. “We quickly identified instances of the Log4j code that was present in our third-party integration that has been overturned by other logging frameworks,” he said. Sterling removes those marks and prevents future use. At the same time, the bank tasked its Security Operations Center (SOC) with analyzing millions of events to see if Sterling was being targeted by Log4j vulnerability finders. They weren’t, but being watched. Rampton said the necessary efforts are significant, but necessary. “We decided to adopt the ‘guilty until proven innocent’ approach, because the vulnerabilities were being exposed at a pace we could not have guessed,” he said.

“I’ve found out where the FTC is trying to come from,” said Thornton-Trump. You don’t know if you’re here at the moment. “

More great cable story

Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *