Such issues can be very confusing for small and medium-sized businesses, he says – making them difficult to resolve easily. Sonatype analysis has found that about 30 percent of Log4j usage comes from species that may be at risk for the tool. “Some companies have no information, no resources, and no idea where to start,” says Fox. Sonatype is one of the companies that provides diagnostic tool to identify a problem, if any. One customer told them that without this, they would have to send an email to the 4,000 co-owners asking them to find out if they were affected.
The other side of the story, of course, is the over-reliance on profitable businesses on open source, free software developed and managed by a small, full-fledged and dedicated team. Log4j issues are not the first – and Heartbreak that destroyed OpenSSL in 2014 is a superficial example of the same problem — and it will not be the last. “We wouldn’t buy things like cars or food from companies that had very bad practices,” says Brian Fox, chief technology officer at Sonatype, a software and security specialist at software development. “Yet we are always dealing with programs.”
Companies that know they use Log4j and are in a very recent phase are not worried about them and have little to do. “That’s an unfortunate solution to this: It could be easy,” Fox says.
The problem arises when companies do not know that they are using Log4j, because they are used in a small part of the imported program or tool that they do not have control over, and do not know how to start looking. “It’s like understanding the metal that went into the metal that went into your car,” says Glass. “As a consumer, you have no chance of knowing this.”
The breakdown of Log4j, in the software library, makes it difficult to repair, says Moussouris, because many organizations have to wait for software developers to integrate themselves — something that can take time and effort. “Some organizations have very talented people inside who can deal with a variety of pending challenges, but in reality, many organizations rely on their vendors to create high-quality patches that include customized libraries or modified packages on the packages,” he said. he says.
Yet big and small companies around the United States — and around the world — need to move, and fast. One of them was Starling Bank, a UK-based anti-UK bank. Because his systems were built and maintained in-house, he was able to quickly realize that their banks would not be affected by the Log4j threat. “However, we are also aware that there may be potential problems with some of the platforms we use and the code we use to integrate,” said Mark Rampton, chief of security services.
Panali. “We quickly recognized the Log4j codes that were in place for our third-party mergers that were modified by other pricing methods,” he says. Starling removed the protests and banned future use. At the same time, the bank provided its security services (SOC) and monitored hundreds of thousands of cases to see if Starling was being monitored by Log4j risk seekers. They weren’t, but they’re watching. The experiments that are needed are important, but they are important, says Rampton. “We decided to have a ‘wrong approach’ until it was proved that we were innocent, ‘since insecurity was being dealt with so quickly that we could not think of anything,” he says.
“I get to where the FTC is trying to get from,” Thornton-Trump says. “They are trying to make people more aware of risk management. But it is the deafness that threatens the risk that so many businesses have. They are making you press a panic button on something you do not know if you already have.”
Some of the Best WIRED Stories