What do you hope the lasting impact of Log4j will be?
Sort By:
Oldest
SVP in Finance (non-banking)2 years ago
It's an interesting question, because I don't know if you can prevent something like this from happening again.
Secure Facilities Information Technology Manager in Manufacturing2 years ago
This should open our eyes to the many vulnerabilities that are built in to the fragmented world of applications. Director ERP Management in Travel and Hospitality2 years ago
Its a good question given the situation with recent vulnerability found in Apache. The fact is open source software is still used by tons of Admins and organizations. The legacy business applications are running on Apache and not all legacy apps are ready to update to other platforms or updated version of Apache software. Log4j being a logging service for Apache has significant impact on development teams. As a long term impact, I am afraid some of the systems will be left un-patched due to lack of technical resources or limitations of legacy applications.Director in Manufacturing2 years ago
I ran a large application retirement program for years. We were retiring applications as complicated as full ERPs to as small as simple Marketing Websites. The business people never really appreciated the risk of old applications. Not the risk of being unsupported and no way to change them. Not the risk of security vulnerabilities that can no longer be patched on the current version of the system or application. I'm hopeful that as there are more publicized issues with old software, or software that doesn't get patched or upgraded, the hard to measure risk is at least discussed at budgeting meetings more. It takes budget and priority to try and avoid eventual problems. Not every old system is a huge risk, but if you don't have rigor and process around evaluating and continually retiring, the problem grows until it's a crisis. I wonder how many times the budget to avert the Log4j issues were cut, denied, lowered in priority.... until it was a DROP EVERYTHING AND GET ON THIS PROBLEM. IT has always had some "fire fighter" mentality. I myself had part of my career in Operations, and it was very satisfying to solve a crisis and save the day. The difference now is it doesn't end. Your fire fighting team could be working 7x24 and not contain the fire. You really need a robust program and process to continually work the forest of your applications and systems to consolidate and update to reduce your security risks. Fires will still start, but hopefully a lot less, and only an amount you can manage.
Director in Manufacturing2 years ago
#technicaldebt #rootcause
Director of IT in Software2 years ago
We had the SolarWinds and CodeCov breaches before, and with the Log4J vulnerability, the outcome should be a wake-up call to how vital supply chain security and vendor management are. The worst part is that this vulnerability is likely not the last one.Another important take from this is understanding the open-source risk in general. I have heard from far too many people that open-source is natively less risky because the code is visible and openly reviewed. There was the Heartbleed in OpenSSL vulnerability in 2014 and Equinix breach from 2017 with the Apache Struts framework, so the narrative should change.
We need to realize that the internet is just a stack of turtles that are supported by one and a half people in North Dakota, because that's the truth of it. We rely on a lot of different software packages and systems that look a lot like Log4j. So it's not just about this particular piece of code and what it can do. It's about all the other stuff around it. How are we thinking about that from a risk management standpoint? It's an interesting time to be having that conversation because the pandemic has revealed to the average person how supply chains work and what they look like when they’re broken. This is not that different. It's conceptually a bit more abstract for non-technologists to get their head around, but it's quite similar.