Senate takes action on open-source vulnerabilities in wake of 2022 Log4j attack

It’s not longer 2022, but for those focused on cybersecurity, the Log4j vulnerability that threatened systems worldwide still looms large.

The Log4j threat changed the game, Endor Labs CEO and Founder Varun Badhwar told IT Brew. The open-source nature of Log4j and its eventual exploitation using the Log4Shell vulnerability “highlighted the lack of visibility we have, the lack of governance and controls we have on this,” Badhwar said.

“Most organizations were unprepared to even understand where they were using Log4j,” he added.

Senatorial moves. One place that won’t forget the incident? The Senate’s Committee on Homeland Security and Governmental Affairs, which on March 29, passed the bipartisan Securing Open Source Software Act with an 11–1 vote. Log4j loomed large in the bill’s passage, as cosponsor and committee chair Sen. Gary Peters noted in a statement on the bill.

“The Log4j incident demonstrated that we must work to secure open-source software against persistent and evolving cybersecurity threats,” Peters said.

Peters and cosponsor Sen. Josh Hawley are directing the Cybersecurity and Infrastructure Security Agency (CISA) to analyze open-source software used by the government and mitigate threats from the systems. Hawley framed it in national security terms, calling the legislation “a great step toward better understanding the risk associated with software deficiencies, and better defending the US government and its critical infrastructure from cyberattacks by our enemies.”

Badhwar believes the Senate bill is a good start, but worries that it aims too low. While it identifies the problem and the solution, it stops short of the steps to get there. That level of security is necessary for managing risk, and the requirements of the legislation are, in his view, thus far insufficient.

The path ahead. IT teams need to look at the legislation as an indicator that they should be paying attention to open-source security, Badhwar said. Knowing the risks associated with using the code is essential to addressing risk.

Open source is appealing for many of the right reasons, Badhwar told IT Brew. Developers and security heads need to ensure, however, that they don’t allow that to blind them to the dangers of potentially malicious code.

“The open-source ecosystem has become like Disneyland for developers—it’s exciting, it’s cool, and it provides a lot of productivity boost,” Badhwar said. “But at the end of the day, you’ve got to remember nothing in this world is free.”—EH