How do we prevent the next Log4Shell?

Features
By Rory Bathgate
published

The private sector has an obligation to make better safety choices

The words ‘How do we prevent the next Log4Shell?’ with ‘Log4Shell’ highlighted in yellow and the other words in white, against a zoom blur photo of multi-colored code. In the bottom right corner, the words ‘ITPro Podcast’ are written.
(Image credit: Future / Unsplash - Markus Spiske)

The open-source community is a hub of innovation and there is no doubt that open-source software helps to prop up stacks everywhere, from the smallest firms through to the largest names in the tech industry. 

However, concerns have been raised in recent years over the security of open-source supply chains. Notable incidents such as Log4Shell have acted as a reminder to businesses and governments alike that a chain is only as strong as its weakest link.

In this episode, Jane and Rory are joined by Brian Fox, CTO of software supply chain management at Sonatype to discuss how the ecosystem can be made safer, and the role that developers, companies, and governments can play.

Highlights

“96% of the problem is that organizations don't have a good understanding of what components are in their software, what their developers are doing, and have no protection around it. And so they continue to download these vulnerable components.”

“Take Log4Shell, arguably the most prolific, most publicized, most talked about vulnerability maybe ever. Right now we're nearly 18 months after that zero-day disclosure, 30% of the versions of Log4j that are being downloaded today are of those known vulnerable versions. There's no good excuse for that.”

“The challenges that the ecosystem has with what the EU is proposing, both with the Cyber Resiliency Act but also with some of the product liability changes, the so-called Product Liability Directive (PLD) is that they have not been so clear in saying that open source is carved out, they have made an exception but have muddied the waters by saying ‘open source is not part of this unless it's done in a commercial setting’, or there is data behind it that is used to drive commercial aspects.”

Footnotes

Subscribe

Rory Bathgate
Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.