A critical vulnerability in the open-source Apache Log4j library that impacts countless applications and systems around the world hitting like a Strom. Cybersecurity teams are restless and scratching the head for patching the affected systems/ application
Patching the vulnerable component in production as well as deploying a network or cloud-based Web Application Firewall service are both forms of mitigation that hep to protect.
With Log4Shell type of vulnerability, security operations teams need to actively collaborate with DevOps teams. A common approach in DevSecOps is to “shift left” adding security earlier in the development process. With an active threat, the issue is in code and it is also in production, requiring a more comprehensive approach.
The Log4Shell vulnerability is a common type of flaw that could have been identified during development had the code been scanned with the right type of tool. Application Security Testing prevents developers from making the kinds of mistakes that lead to exploitability.
From a DevSecOps standpoint, limiting risk from Log4Shell and future vulnerabilities like it means knowing what is in your software and having the automation in place to easily upgrade. To have a control and visibility DevSecOps teams need to integrate development pipelines with tooling that:
- Reports on vulnerable libraries in software
- Provides guidance on how to remediate these issues
- Sets policies to block and alert when you try to add vulnerable or high risk libraries to your project.
Software composition analysis (aka SCA) is the tool that security teams use to understand the open-source components, and often commercial components too, in your software which will integrate with the CI/CD pipeline, including with the source code repository, to block known malicious components, identify vulnerable libraries and how they are used, and recommend and help automate upgrades and patches. Exisiting tools need to be augmented and operationalized well to continuously monitor and protect from threats.
Tools like ThreatMapper can used for monitoring and protecting against Application software exploitabilities