FTC highlights the importance of securing Log4j and software supply chain
January 7, 2022
0 mins readEarlier this week, the FTC issued a warning to companies regarding the Log4j vulnerability. Given the rampant exploitation of the recently discovered vulnerabilities in this ubiquitous open source logging package, it’s encouraging to see the agency take this rare step, beginning to form a firm stance on software supply chain security.
Although this increased scrutiny from the FTC may at first seem daunting, violations can be remediated with the right practices.
Background on Log4Shell
On December 10th, 2021 it was announced that there was a zero-day vulnerability for Log4j, a popular logging library for the Java software development language that is deeply embedded into leading companies’ technology stacks. Given the extensive usage of this library in organizations worldwide and the nature of open source code, bad actors were able to discover a way to exploit this vulnerability. Since CVE-2021-44228 was found first in the wild, instead of responsibly disclosed, this represents a “zero-day”.
Organizations across all industries have been utilizing this package for many years. The maintainers of Log4j sprung into action and released a patch when these attacks were detected in the wild. As the community focused on the Log4j package, more vulnerabilities surfaced over the next few weeks. Even though software teams might be on red alert due to this risk, this is a rare byproduct of the open source model. However, given the proper tooling, this is a manageable risk and does not outweigh the vast benefits of utilizing open source software. As an example, Log4Shell was patched in a matter of hours, reflecting the power of the developer community.
Respond, but don't panic
The primary responsibility of the US government is to protect the American people, so it’s understandable why they are taking a hard line with software vulnerabilities like the Log4Shell issue we experienced this past December. The FTC said they will “use [their] full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
This warning makes the importance of vulnerability remediation crystal clear. The FTC also showed their teeth by reminding us about the ~$700 million fine levied to Equifax in 2019. They noted a failure to “take reasonable steps” in securing the Equifax network, leading to a preventable data breach in 2017, affecting approximately 147 million people. It seems they plan to continue the scrutiny.
What are these “reasonable steps?” The FTC quote seems to say that any company doing business in the United States that holds consumer data of any kind MUST have a robust, functional, mature, and auditable vulnerability management program in place. As current regulations to safeguard citizens expand into the digital realm, following last February’s Executive Order, the government continues to make its voice heard regarding software security expectations. Software supply chain security is no longer optional.
The good news is that with the proper software security tooling and software development processes in place, you can be confident in your response. In fact, most Snyk customers had the initial and subsequent Log4j open source vulnerabilities identified and patched within a few days of being discovered. In some cases, it was merely a click of a button.
How Snyk can help
A good vulnerability management program begins with an overarching policy that dictates what processes must be in place and the principles that drive them. The processes should dictate the “reasonable steps” required to find, prioritize, remediate, and monitor vulnerabilities in systems and applications.
There are many ways Snyk is helping dev teams secure their software supply chain and find Log4j vulnerabilities in their code. Snyk allows developers to do a complete scan of their software and reports all instances of open source code, including Log4j.
Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. To make it even easier for development teams during this critical worldwide event, we increased the scan limits of our free tier to help find and fix Log4j instances in code.
From the beginning of this zero-day event, our entire team at Snyk has been steadfast in creating helpful content, from our experienced security researchers to the developer relations team on the front lines and everyone in between. We have published blogs, videos, live audio, webinars, cheat sheets, and more to give everyone the necessary details. As new information unfolds, we are dedicated to helping our customers and developer community stay on top of this event.
Here are some essential resources you can share with your security and development teams:
