Five takeaways from Log4j Vulnerability

Like many of you, our development team is waking up in 2022 to a Log4j hangover.???The final weeks of 2021 were full of twists and turns as we worked round the clock to release patches to our customers who were, rightfully, demanding updates and a speedy remedy.???The Cisco ISE team ran this gauntlet, and thousands of systems have been patched to date.??We finally have some time to breath and reflect on the experience.??Below are our top 5 takeaways:

Open source is terrifying and amazing

The speed at which developers can deliver functionality is accelerating, this is due to higher level programing languages, and an ability to find open-source libraries to handle the context surrounding core application functionality.???If it’s deemed to be context, chances are it’s a solved problem and there is an opensource library out there somewhere to deliver the goods.???However, we need to consider that the number of developers contributing to our product is expanding continuously.???Ponder this too deeply and you’ll suffer sleepless nights.

Development hygiene matters

The anti-dote to this ever-expanding threat surface is hygiene in your development processes.???Start with only using a single version of each open source library embedded in your product, which will remove the multiplier effect many teams faced with Log4j.???Want to understand how important this is???Read what the British code review of Huawei had to say on this topic:?

Beyond standardizing on a single instance and version of each library, the next part of your hygiene routine should include regular uplift and obsessively monitoring CVE feeds for new vulnerabilities in your product.

Ready, Set, Go!

Development teams often talk about agility, but the intensity and pressure of getting a Log4j patch released really tested this.???Run fire drills with your team to determine how many hours your build, test and promotion/release processes take, you may be surprised by what you find.??Many teams struggled, and some are still struggling a month later to get patches out to their loyal customers.???If you want to perform well in these races against the clock, you need to train for them.

Painless patches are essential

One aspect of product satisfaction that can’t be over-looked is the time and effort required to apply patches.??Many enterprise applications have zero-downtime requirements making this a bit more complicated than my phone auto-upgrading overnight, however… If there is one certainty around this brave new world of open-source supply chains it is that patches will become more frequent, make them as easy as possible.

SBOM is coming

Software Bill Of Materials (SBOM) is used to describe a manifest of all bundled software which suppliers include in their products.???You may be surprised to learn that not everyone knows their ingredient list.???A complete view takes time energy and tooling, get ahead of it!??Also, with the recent Executive Order SBOM will soon be required for federal procurement:?

My prediction is that this quickly spreads to other industries.

So there you have it, the top five things we've learned from Log4j.??We’re thrilled that our team was well prepared and responded quickly to this one, but these habits need to be practiced daily in ours and any product development team.