At a hearing before a U.S. Senate committee, executives from Cisco, Palo Alto and Apache discussed the industry’s response to the Log4j vulnerability and potential future problems. They were united in refusing to cast aspersions on open source.
After the White House, the U.S. Senate is now questioning the long-term impact of the serious vulnerability discovered late last year in the open source software Apache Log4j. “Open source is not the problem,” said Dr. Trey Herr, director of the Cyber Statecraft Initiative at the U.S. international relations think tank Atlantic Council, at a hearing of the U.S. Senate Committee on Homeland Security & Government Affairs this week. “Software supply chain security issues have been a concern for the cybersecurity community for years,” he said.
Experts say it will take a long time and a lot of work to address the Log4j flaw and its impact. As such, security researchers at Cisco Talos, believe that in the future, Log4j will be heavily exploited, and users should apply patches to affected products and implement mitigation solutions without delay. Java logging software is widely used in services, websites, and enterprise and consumer applications, as it is an easy-to-use tool in client/server application development.
A defense of open source
If exploited, the Log4j flaw gives an unauthenticated remote actor the ability to take control of an affected server system and gain access to corporate information or launch a denial-of-service attack. The Senate committee asked experts to outline industry responses and ways to prevent future software exposures.
Because the Logj4 flaw affects open source software, experts have spent a lot of time advocating for the use of open source software in critical platforms. “The Log4j vulnerability, which can be exploited by typing just 12 characters, is just one example of the serious threat that widespread software vulnerabilities, including those in open source code, or freely available code developed by individuals, can pose to national and economic security,” said committee chairman Senator Gary Peters (D-MI).
“In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable, and it puts all of our critical infrastructure, from banks and power grids, to government agencies, at risk of network breaches,” the senator added.
Cisco security chief Brad Arkin wanted to defend open source software. “I don’t think open source software is at fault, as some have suggested, and it would be wrong to suggest that the Log4j vulnerability is evidence of a unique flaw or that open source software poses an increased risk,” Brad Arkin, Cisco’s senior vice president and chief security officer, told the committee.
“The truth is that all software contains vulnerabilities due to human design, integration and writing errors,” he further argued. “Cisco is a significant user and active contributor to open source security projects. These efforts are essential and necessary to maintain the integrity of shared blocks of code across fundamental elements of the IT infrastructure,” Arkin said. “However, focusing exclusively on the risks posed by open source software could distract us from other important areas where we can address the security risks inherent in all software,” added Cisco’s senior vice president and chief security officer.
Log4j flaw: open source is not the problem
At a hearing before a U.S. Senate committee, executives from Cisco, Palo Alto and Apache discussed the industry’s response to the Log4j vulnerability and potential future problems. They were united in refusing to cast aspersions on open source.
After the White House, the U.S. Senate is now questioning the long-term impact of the serious vulnerability discovered late last year in the open source software Apache Log4j. “Open source is not the problem,” said Dr. Trey Herr, director of the Cyber Statecraft Initiative at the U.S. international relations think tank Atlantic Council, at a hearing of the U.S. Senate Committee on Homeland Security & Government Affairs this week. “Software supply chain security issues have been a concern for the cybersecurity community for years,” he said.
Experts say it will take a long time and a lot of work to address the Log4j flaw and its impact. As such, security researchers at Cisco Talos, believe that in the future, Log4j will be heavily exploited, and users should apply patches to affected products and implement mitigation solutions without delay. Java logging software is widely used in services, websites, and enterprise and consumer applications, as it is an easy-to-use tool in client/server application development.
A defense of open source
If exploited, the Log4j flaw gives an unauthenticated remote actor the ability to take control of an affected server system and gain access to corporate information or launch a denial-of-service attack. The Senate committee asked experts to outline industry responses and ways to prevent future software exposures.
Because the Logj4 flaw affects open source software, experts have spent a lot of time advocating for the use of open source software in critical platforms. “The Log4j vulnerability, which can be exploited by typing just 12 characters, is just one example of the serious threat that widespread software vulnerabilities, including those in open source code, or freely available code developed by individuals, can pose to national and economic security,” said committee chairman Senator Gary Peters (D-MI).
“In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable, and it puts all of our critical infrastructure, from banks and power grids, to government agencies, at risk of network breaches,” the senator added.
Cisco security chief Brad Arkin wanted to defend open source software. “I don’t think open source software is at fault, as some have suggested, and it would be wrong to suggest that the Log4j vulnerability is evidence of a unique flaw or that open source software poses an increased risk,” Brad Arkin, Cisco’s senior vice president and chief security officer, told the committee.
“The truth is that all software contains vulnerabilities due to human design, integration and writing errors,” he further argued. “Cisco is a significant user and active contributor to open source security projects. These efforts are essential and necessary to maintain the integrity of shared blocks of code across fundamental elements of the IT infrastructure,” Arkin said. “However, focusing exclusively on the risks posed by open source software could distract us from other important areas where we can address the security risks inherent in all software,” added Cisco’s senior vice president and chief security officer.
Taking the long view and the means to remediate
According to Dr. Herr of the U.S. think tank Atlantic Council, expect to discover more similar vulnerabilities. “The Log4j logging program is extremely popular, and fixing its flaws has required considerable effort and widespread public attention, but this is not the last time this type of incident will occur,” Herr said. “Among the efforts that federal agencies should undertake to improve open source security, would be to fund what is ordinary, providing resources where industry would not