It’s been almost a year since the SolarWinds supply chain hack sent shockwaves through hundreds of businesses around the world, but the cybersecurity quake is far from done. The Log4Shell and Spring4Shell vulnerabilities, which impacted businesses utilising the Log4j library and the Spring Core framework, have lately caused aftershocks.
Supply chain assaults have been witnessed previously, but 2021 was the year they truly took off. The usage of open-source solutions, such in the Spring4Shell and Log4j assaults, has raised the danger. They’re used in practically every type of software development and are frequently produced quickly, causing security flaws. This means that any vulnerabilities found in open-source components will have a huge impact.
Following the events of Log4Shell and Spring4Shell, there are three major lessons that businesses must learn to keep secure while using open-source software:
Identifying the dangers
To design, manage, and maintain a software supply chain in a safe manner, you must first understand and see all of the linkages.
Businesses require a complete inventory and understanding of all open-source components in use to assure security. You can’t afford to take software components’ provenance and security for granted. If instances like Log4Shell, Spring4Shell, and SolarWinds have taught us anything, it’s that we need to be more conscious of all the many pieces of software that are utilised within a company.
This covers how and where they were developed, as well as where they’re being utilized throughout the organization, so that if vulnerabilities are found, they can be remedied swiftly to minimise the impact.
Don’t overthink things.
The need to shockproof oneself is number two on the list. It’s critical to perform a good job while creating frameworks or libraries. However, you must employ a more straightforward approach to avoid unintentionally introducing weaknesses.
Concentrating on a few things effectively is preferable to introducing a large number of items poorly. The more features there are, the more probable a serious vulnerability will exist. So, when deciding what additional features to add to your products and services, consider if you really need them and only turn them on if they’re really necessary.
Take away the effort
Finally, while designing and creating various applications, businesses must consider cross-cutting issues. If for logging, metrics, encrypted communications, or caching, it’s critical to consider whether these ongoing issues should be handled within the application or whether they may be externalized instead.
The Consequences
Log4Shell and Spring4Shell have only helped to highlight the need of enterprises taking proactive measures to protect their surroundings. This will only grow more difficult as innovation increases, resulting in an increasing number of machine identities for enterprises to monitor.
It will be difficult to track and maintain all of those machine IDs while simultaneously keeping track of all software components and keeping development simple. Organizations today just lack the necessary expertise and resources to check all of those boxes. Instead, they should use automation and security technology to guarantee that these flaws are kept to a minimum, reducing the impact of assaults like the one that affected Log4j.
