The high-tech community is still trying to understand the long-term impact of the severe vulnerability discovered late last year in Apache Log4j open-source software, as is the US Senate.
“Open source is not the problem,” said Dr. Trey Herr, director of the Cyber Statecraft Initiative with the Atlantic Council think tank during a hearing for the US Senate Committee on Homeland Security and government affairs this week. “Software supply chain security issues have plagued the cyber policy community for years.”
Experts predict a long-term struggle to fix the Log4j flaw and its impact. Cisco Talos security researchers, for example, said that Log4j will be widely exploited in the future and that users should patch affected products and implement mitigations as soon as possible.
The popular Java logging software is widely used in enterprise and consumer services, websites and applications as an easy-to-use common utility to support client/server application development. If exploited, the Log4j weakness could allow an unauthenticated remote actor to take control of an affected server system and gain access to corporate information or trigger a denial of service attack.
The Senate panel called on experts to learn about industry responses and ways to prevent future software exposures.
Since Logj4 is found in open source software, experts have spent a lot of time advocating the use of open source software in critical platforms.
“Log4j’s weakness, which can be exploited by typing just 12 characters, is just one example of how widespread software vulnerabilities, including those found in open-source code, or freely available code and developed by individuals, may pose a serious threat to national and economic security,” said committee chairman Sen. Gary Peters (D-MI).
“In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable, and it leaves everything from our critical infrastructure, like banks and power grids, to government agencies , open to network violations.”
But Cisco’s security chief pushed back. “I am of the opinion that open source software has not failed as some have suggested, and it would be wrong to suggest that the Log4j vulnerability is evidence of a single flaw or increased risk with open source software,” Brad Arkin, Cisco’s senior vice president and chief security officer, told the committee. “The truth is that all software contains vulnerabilities due to inherent flaws in human judgment in designing, integrating, and writing software.”
“Cisco is a heavy user and active contributor to open source security projects. These are significant efforts needed to maintain the integrity of the blocks of code shared between fundamental elements of the IT infrastructure,” Arkin said. “However, I believe that focusing narrowly on the risks posed by open source software may distract us from other important areas where we can address the security risks inherent in all software.”
Herr of the Atlantic Council said similar vulnerabilities would certainly crop up in the future. “Log4j is an exceptionally widely used logging program,” said Atlantic Council’s Herr, “and fixing its flaws has required considerable effort and public attention, but it won’t be the last time that this type of incident occurs.”
“The key to this body, and a watchword for federal efforts to improve open source security, is to fund the mundane – providing resources where industry could not, or where where public attention fades, to drive structural improvements in the security of software supply chains across all developers and maintainers. Better securing software supply chains and open source code is an infrastructure issue, and the same long-term investment model applies.
Jen Miller-Osborn, Deputy Director of Threat Intelligence at Palo Alto Networks Unit 42 Security Researchers, recommended risk reductions in response to Log4Shell and future vulnerabilities, including:
- Automate Compliance with Vulnerability Management Policies: “We applaud [the Department of Homeland Cybersecurity and Infrastructure Agency] for building and maintaining a catalog of known exploited vulnerabilities, but manual reporting across 100+ federal civilian agencies is unlikely to stay ahead of the adversary.
- Drive industry-wide commitment to development security operations: “Awesome work is already underway in this area, but the community would be well served by increasing adoption of existing development tools to control access to open source components These tools can scan all open source packages for both integrity and security before they are approved and authorized for use by engineering teams in products.
Cisco’s Arkin said implementing secure architectures is key to creating the necessary separation inside systems to limit the impact of vulnerabilities and enable rapid recovery and resilience.
“Appropriate segmentation, for example, makes it difficult for an attacker to move laterally through the network, even though they may gain initial access by exploiting a vulnerability,” Arkin said. “Implementing a zero-trust environment further protects critical data and systems from intrusion and exploitation by ensuring that every attempt to connect to the network and access important data and systems is scrutinized.”
Arkin and others said the secure software development and trustless networking requirements issued by presidential decree last year are important steps to take, whether or not they prevented the Log4Shell vulnerability.
The problem of imperfect code should not go away, said David Nalley, president of the Apache Software Foundation. “The reality is that humans write software, and as a result, there will always be bugs, and despite best efforts, some of them will include security vulnerabilities. As we continue to become more and more connected and digital, the number of vulnerabilities and potential consequences are likely to increase,” he said.
“There is no simple security software solution; it requires defense in depth – integrating upstream development into open source projects, vendors integrating those projects, developers using the software in custom applications, and even down to organizations deploying those applications to deliver services important to their users,” said Nalley.
Copyright © 2022 IDG Communications, Inc.