Third Party Risk Management, Application Security, Business Continuity Management / Disaster Recovery
Patrick Dwyer Says Open Source Software Deserves More Resources
Jeremy Kirk (jeremy_kirk) â¢
December 21, 2021
The Log4j vulnerability once again underscored the widespread reliance on open source software projects and the hidden risks.
It has also raised the question of whether software projects such as Log4j, which is maintained by volunteers from the Apache Software Foundation, deserve more attention and resources given the profound impacts that a security issue can have. .
“We’re not talking about a large corporate supplier here providing this component,” says Patrick Dwyer from Online Web Application Security Project, or OWASP. “We’re talking about a small team of open source software maintainers.”
Businesses and organizations scramble to determine if the software they are running uses the logging library. The remote code execution flaw found in Log4j could allow an attacker to extract secrets from a server or take them completely (see: Log4j operation: 40% of corporate networks targeted to date).
Part of the problem is that Log4j is found in hundreds of thousands of software applications. Determining risk and exposure was a challenge.
Dwyer helps develop CycloneDX, which is a specification for creating SBOMs, or software BOMs, which are lists of third-party code and dependencies within an application or device. SBOMs might have helped organizations understand the risk of Log4j-type situations since they would have an accurate inventory of assets, he says (see Supply chain: the role of software nomenclatures).
âWe would have been in a much better shape to be able to prioritize that initial response,â Dwyer said. “A lot of people didn’t even know where to start.”
In this video interview with Information Security Media Group, Dwyer discusses:
- The security challenges of open source software projects;
- Why some open source software projects require enterprise-level security assessments;
- How SBOMs can help organizations understand their exposure to vulnerabilities.
Dwyer is a member of the CycloneDX SBOM Core Specification Team and OWASP. He is also responsible for software development for a government council in Queensland, Australia.