This website collects cookies to deliver better user experience. Cookie Policy
Accept
Sign In
The Wall Street Publication
  • Home
  • Trending
  • U.S
  • World
  • Politics
  • Business
    • Business
    • Economy
    • Real Estate
    • Markets
    • Personal Finance
  • Tech
  • Lifestyle
    • Lifestyle
    • Style
    • Arts
  • Health
  • Sports
  • Entertainment
Reading: Push to Explain What Software Contains Gains Steam After Log4j Flaw
Share
The Wall Street PublicationThe Wall Street Publication
Font ResizerAa
Search
  • Home
  • Trending
  • U.S
  • World
  • Politics
  • Business
    • Business
    • Economy
    • Real Estate
    • Markets
    • Personal Finance
  • Tech
  • Lifestyle
    • Lifestyle
    • Style
    • Arts
  • Health
  • Sports
  • Entertainment
Have an existing account? Sign In
Follow US
© 2024 The Wall Street Publication. All Rights Reserved.
The Wall Street Publication > Blog > Tech > Push to Explain What Software Contains Gains Steam After Log4j Flaw
Tech

Push to Explain What Software Contains Gains Steam After Log4j Flaw

Editorial Board Published January 24, 2022
Share
Push to Explain What Software Contains Gains Steam After Log4j Flaw
SHARE

Companies must know what is inside their technology to secure it against hackers and prevent the type of upheaval seen at the end of 2021 due to a flaw in the free, widely used Log4j software, officials and analysts say.

Contents
Newsletter Sign-upWSJ Pro CybersecurityCISA chief Jen Easterly.More From WSJ Pro Cybersecurity

Disclosure of the vulnerability, which allows hackers to breach systems with relative ease, in early December prompted companies to rush to update their systems and prevent cyberattacks. Many security teams first had to find out if their software included Log4j, an open-source tool used to keep records of users’ activities so they can be reviewed later. Some companies are still combing their software for the flaw.


Newsletter Sign-up

WSJ Pro Cybersecurity

Cybersecurity news, analysis and insights from WSJ’s global team of reporters and editors.


“It’s often hard to spot because it’s not as simple as just running a vulnerability scanner, or checking a product version number,” said Jeff Macko, a senior director in consulting firm Kroll Holdings Inc.’s cyber risk business. Special tools for analyzing software are often required to find out whether Log4j or other vulnerable open-source parts are present.

Mr. Macko said he expects to be dealing with Log4j vulnerabilities for the next three to five years.

This lack of visibility into the guts of corporate software has given new urgency to an old idea—a complete inventory of what is inside software packages, including which open-source components programmers used during development. While such components are commonly used, open-source projects are sometimes maintained only by a handful of volunteers and often aren’t vetted by security teams, opening a company’s systems to attack.

Making such an inventory, known as a software bill of materials, or SBOM, has been promoted by the U.S. Cybersecurity and Infrastructure Security Agency as a way to shorten the time it takes to respond to new vulnerabilities. The Commerce Department is also an advocate, developing guidance on how to construct such an inventory in line with President Biden’s May 2021 executive order on cybersecurity.

CISA chief Jen Easterly.

Photo: Michael Brochstein/Zuma Press

CISA Director Jen Easterly said in a statement last month that the Log4j vulnerability “underscores the urgency of building software securely from the start and more widespread use of Software Bill of Materials.”

Building an SBOM that covers all technology at a company could be difficult. Large organizations such as major banks might run thousands of legacy applications, meaning that going through every piece to find open-source components is a daunting task.

“Frankly, legacy software without an SBOM is like a can of food from the 1920s without an ingredient label. Consume at your own risk,” said Sounil Yu, chief information security officer at Morrisville, N.C.-based cybersecurity company JupiterOne Inc.

Companies that can provide SBOMs demonstrate a mature software-development process, said Mr. Yu, who was previously chief security scientist at Bank of America Corp.

Software providers, in particular, are likely to come under significant pressure to produce SBOMs, he said, as client security teams are unlikely to endure long waits for vulnerability notifications from their suppliers while they figure out what is inside their products. In the Log4j case, tech providers rushed to develop patches to fix the flaw in their own products and to notify customers.

More From WSJ Pro Cybersecurity

Companies have two basic options for discovering whether the software they use contains open-source components, said Tim Mackey, principal security strategist at Synopsys Inc., a Mountain View, Calif.-based software-testing company. If the source code is available, it can be compared with open-source libraries for common components. Alternatively, the program itself can be run through a binary analysis process, where it is dissected to determine its parts, although the results might not be as clear as using the source code.

Still, Mr. Mackey said, bespoke software projects developed by teams outside a company’s technology division can complicate efforts to build comprehensive SBOMs, as they might not go through the usual checks and balances or even be known to technology staff.

Kroll’s Mr. Macko warned that component inventories won’t counteract inherently weak security. Implementing network security that watches for odd behavior from applications and following basic cybersecurity hygiene will help to mitigate the impact of attacks.

“It’s painful that we have to learn our lessons by getting a bloody nose first,” he said.

Write to James Rundle at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

TAGGED:Tech NewsWall Street Publication
Share This Article
Twitter Email Copy Link Print
Previous Article Noncitizens shy to vote even when it’s legal Noncitizens shy to vote even when it’s legal
Next Article CBS retools streaming service to better resemble TV network CBS retools streaming service to better resemble TV network

Editor's Pick

California dwelling of lacking child’s mother and father searched; father has served time for youngster cruelty

California dwelling of lacking child’s mother and father searched; father has served time for youngster cruelty

San Bernardino County sheriff’s investigators on Sunday, Aug. 17, searched the house of the mother and father of the infant…

By Editorial Board 9 Min Read
Farmer Needs a Spouse: John Sansone and Claire Dinette Break up!
Farmer Needs a Spouse: John Sansone and Claire Dinette Break up!

Studying Time: 2 minutes It's sadly over for one more actuality tv…

4 Min Read
Steak ‘n Shake slams Cracker Barrel CEO for eliminating ‘old-timer’ from emblem: ‘We take delight in our historical past’
Steak ‘n Shake slams Cracker Barrel CEO for eliminating ‘old-timer’ from emblem: ‘We take delight in our historical past’

FOX Enterprise’ Jeff Flock experiences on Cracker Barrel unveiling a brand new…

4 Min Read

Oponion

Micron to Spend Up to 0 Billion on Chip Factory in New York

Micron to Spend Up to $100 Billion on Chip Factory in New York

Micron Technology Inc. has agreed to invest as much as…

October 5, 2022

Prince Harry Is Nonetheless ‘Uncomfortable’ in SoCal, Supply Claims

One royal knowledgeable believes that Prince…

November 8, 2024

Conservative wealthy dudes suppose they’re going to Make Motion pictures Nice Once more

Conservatives in America management each lever…

July 23, 2025

Trump’s just-for-gals city corridor goes simply as you’d anticipate—solely worse

An viewers member requested about abortion…

October 16, 2024

Andy Cohen: Does He Need Lisa Vanderpump Again on ‘RHOBH’?

Studying Time: 3 minutes Does Andy…

January 22, 2025

You Might Also Like

Selecting the Proper MacBook Is not As Troublesome As You Would possibly Suppose
Tech

Selecting the Proper MacBook Is not As Troublesome As You Would possibly Suppose

The larger change is in what number of exterior shows the M3 MacBook Air can help. Whereas the M4 mannequin…

29 Min Read
Our Editors’ Favourite Large Display screen Chromebook Is Now 9
Tech

Our Editors’ Favourite Large Display screen Chromebook Is Now $159

Again to high school is at all times a good time to choose up a deal on a brand new…

2 Min Read
The Rad ‘Tony Hawk’s Professional Skater 3+4’ Remasters Are  Off Proper Now
Tech

The Rad ‘Tony Hawk’s Professional Skater 3+4’ Remasters Are $15 Off Proper Now

In search of a wholesome dose of gaming nostalgia? It can save you $15 on Tony Hawk’s Professional Skater 3+4,…

3 Min Read
The Finest Paper Planners Our Editors Use to Set up Their Lives
Tech

The Finest Paper Planners Our Editors Use to Set up Their Lives

There's nothing like the sensation of a brand-new planner. As the brand new faculty yr kicks off, we have discovered…

32 Min Read
The Wall Street Publication

About Us

The Wall Street Publication, a distinguished part of the Enspirers News Group, stands as a beacon of excellence in journalism. Committed to delivering unfiltered global news, we pride ourselves on our trusted coverage of Politics, Business, Technology, and more.

Company

  • About Us
  • Newsroom Policies & Standards
  • Diversity & Inclusion
  • Careers
  • Media & Community Relations
  • WP Creative Group
  • Accessibility Statement

Contact

  • Contact Us
  • Contact Customer Care
  • Advertise
  • Licensing & Syndication
  • Request a Correction
  • Contact the Newsroom
  • Send a News Tip
  • Report a Vulnerability

Term of Use

  • Digital Products Terms of Sale
  • Terms of Service
  • Privacy Policy
  • Cookie Settings
  • Submissions & Discussion Policy
  • RSS Terms of Service
  • Ad Choices

© 2024 The Wall Street Publication. All Rights Reserved.

Welcome Back!

Sign in to your account

Lost your password?