The FTC urges Log4j to find companies quickly. It will not be so easy

The FTC urges Log4j to find companies quickly It will

Things like this are likely to have a disproportionate impact on small and medium - sized businesses, he says - making it nearly impossible to easily repair. Sonatype analysis has found that about 30 percent of Log4j's consumption is from potentially vulnerable versions of the device. "There are some companies that do not have the message, they do not have the products, and they do not even know where to start," said Fox. if any, one client told them that otherwise they would have to send an email to 4,000 application owners they work with asking them to find out on their own. affect them.

Part of the issue, of course, is the over-reliance of businesses for profit on free, open source software developed and maintained by a small team of volunteers, who have gone over it. Log4j cases are not the first - the Heartbleed beast that ravaged OpenSSL in 2014 is one high-profile example of a similar problem - and this is not the last. "We would not buy products such as cars or food from companies with severe supply chain practices," said Brian Fox, chief technology officer at Sonatype, a software and security supply chain management expert. "But we do it all the time with software."

Companies that are known to be using Log4j and have a relatively recent version of the utility have little to do with little to do. "That's the absurd answer for him: it can be very easy," says Fox.

The problem arises when companies do not know that they are using Log4j, because it is used in a small section of an application or an installed tool that they do not have an eye on, and do not they do not know how to start looking for it. "It's a bit like realizing what an iron ore went into the steel that found its way into the piston in your car," says Glass. "As a consumer, you have no chance of proving that."

READ  The year in an overflow culture

The vulnerability of Log4j, in a software library, makes it difficult to treat, says Moussouris, as many organizations have to wait for software providers to deliver - something that takes time and trial. “Some organizations have more technically skilled people within them who have worked out various discounts while they wait, but in essence, most organizations rely on their employees. -sale to sell high-quality pieces that include updated libraries or updated ingredients in these packages, "i.

But companies large and small across the United States - and around the world - need to move, and quickly. One of them was Starling Bank, the UK-based opposition bank. Because their systems were largely built - in and coded in, they were able to quickly discover that their banking systems would not be affected by the vulnerability of Log4j. “However, we also knew that vulnerabilities could exist in both the third-party platforms we use and the code derived from the library we use to the unification, "said Mark Rampton, the bank's head of cybersecurity.

There were. "We quickly identified examples of Log4j code present in our third-party unions that have been replaced by other login frameworks," he said. At the same time, the bank tasked its security activity center (SOC) with analyzing hundreds of thousands of incidents to see if Starling was targeted by those. No, but they've keeping an eye out. The efforts that are needed are important, but necessary, "said Rampton. guilty until proven innocent ', as the vulnerability was emerging at such a high rate that we could not make any assumptions, "he says.

"I can find out where the FTC is trying to come from," Thornton-Trump said. “They try to encourage people to manage vulnerability. But it is completely deafening to the real threat that this vulnerability poses to many businesses. They basically make you press the panic button on something you don't know if you're at this point. ”


More Great WIRED Stories

Related Posts

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Subir

We use cookies to ensure that we give the best user experience on our website. If you continue to use this site we will assume that you agree. More information