Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise.
Join us this week as we cover:
- The Log4J vulnerability and saga in a nutshell
- The pros and cons of waiting to patch until there’s a stable one vs. patching again with each iteration and risk my system’s stability
- The critical need for system and application (and library) inventory and keeping up to date
- How best to react when the media and public discussion picks up on a vulnerability and causes a stir
- The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day
- What is the cost of “free” when it comes to running (and maintaining) open source software like Log4j
- How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process
- Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them
We also have a video channel on YouTube that airs the “with pictures” edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and “like” the episodes.
Links:
- UPDATED: Cybereason Log4Shell Vaccine Offers Permanent Mitigation Option for Log4j Vulnerabilities (CVE-2021-44228 and CVE-2021-45046)
- log4j-affected-db/SOFTWARE-LIST.md at develop · cisagov/log4j-affected-db · GitHub
- A Log4J Vulnerability Has Set the Internet ‘On Fire’ | WIRED
- Alibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing – WSJ
- Meltdown and Spectre
- Hackers launch over 840,000 attacks through Log4J flaw | Ars Technica
- 5 Whys: The Ultimate Root Cause Analysis Tool
- NSO Group spyware used to hack at least nine US officials’ phones – report | Surveillance | The Guardian
- The internet runs on free open-source software. Who pays to fix it? | MIT Technology Review
- Perfunctory Definition & Meaning – Merriam-Webster
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
