Feb 11, 2022
40 Views
0 0

Log4j highlights ongoing cyber risk from free, open source software: Moody's

Written by

Two months after the initial disclosure of the Log4j vulnerability, companies across the nation still grapple with long-term cybersecurity concerns. 
Open source projects are critical components of the software that major industries use every day, according to Leroy Terrelonge, vice president and senior analyst in the cyber risk group at Moody’s. 
“That’s a really big weakness in our current system,” Terrelonge said. “That only the biggest and most well-resourced organizations can afford to pore over code.”
Open-source flaws can linger. Moody’s noted a case in January where researchers discovered a 12-year-old vulnerability in devices running on Linux. 
The Biden administration has been working with private industry to secure the software supply chain. National Institute of Standards and Technology unveiled guidance this month outlining a process for software producers to attest the use of secure software development practices to help strengthen the supply chain. 
Experts are calling for additional investment in open source to help secure the software supply chain. Measures like a software bill of materials could help industry uncover vulnerabilities more quickly, though it won’t prevent them, said David Nalley, president of the Apache Software Foundation, who testified to a Senate committee this week
While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.
“However, the mistake is to assume that you can grab an open source library and then never look at it or update it again,” Carielli said via email. “Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it’s a blip on the radar and can be remediated with practiced upgrade procedures.”
The Moody’s report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers.
Get the free daily newsletter read by industry experts
An IDG survey found security improvements are driving IT budget increases. 
High turnover means organizations are always on the lookout for new cybersecurity leadership, but what exactly are companies looking for in a CISO? 
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
An IDG survey found security improvements are driving IT budget increases. 
High turnover means organizations are always on the lookout for new cybersecurity leadership, but what exactly are companies looking for in a CISO? 
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.