Four Smart Strategies to Combat the Log4j Security Vulnerability

Government agencies have been using open source code as a cost-effective solution for solving complex problems. NASA and GSA have used open source code to better train their IT employees. And the U.S. Army have used open source code to better detect and understand cyber attacks.

However, the National Institute of Standards and Technology (NIST) recently identified that the open source logging software Log4j has critical vulnerabilities in its application security. Once the gold standard of loggers, Log4j has created a huge potential security threat for the public sector. Microsoft reported that they found evidence of the Log4j flaw being exploited by threat actor groups in China, Iran, North Korea, and Turkey.

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” said Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), expressing her concerns over the Log4j vulnerability. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents.”

Given the seriousness of the Log4j vulnerability threat, there are four steps agencies can take to secure their application code and protect data from exploitation.

1. Make a List and Check it Twice
Create a list of applications you develop and a list of applications you buy. Then assess whether the applications are using the vulnerable version of Log4j. Consider breaking those lists down into sub lists to make it easier to scan, verify, and remediate. CISA has released a Log4j scanner to help detect whether applications are running vulnerable versions of Log4j.

2. Schedule Reoccurring Maintenance Protocols
Perform routine maintenance on applications that contain open source libraires. Utilize Software Composition Analysis (SCA) to document, scan, and update vulnerable libraries to protect apps from any potential security threats. Follow CISA Mitigation Guidance while confirming all vulnerable versions of Log4j in use have been updated.

3. Don’t Procrastinate Updates
Create a software bill of materials and patch at-risk assets as soon as updates become available. Automating library testing allows for quick upgrades. The longer you wait to patch potentially vulnerable assets, the more the agency is at risk.

4. Create a Crisis Response Plan
Don’t wait until a crisis happens to have a plan for how to respond. Application security expert Peter Chestna, Checkmarx’s CISO of North America, recommends training teams on how to proactively respond to security incidents like Log4j. One way agencies can do this is through tabletop exercises that give a security incident scenario to the IT team. These types of exercises develop the critical thinking necessary for crisis response. Chestna recommends that if agencies don’t have a strategy for how to quickly respond, then “they’re taking a risk that this amount of time is sufficient to react in a similar crisis.”

Threat vectors like the Log4j vulnerability can introduce uncertainty when it comes to using open source in government applications. However, open source libraries can be a valuable resource for government agencies. There is inherent risk in everything, but there are always smart strategies that will reduce and possibly even eliminate that risk by conducting proper research, training, and security maintenance.

Learn more about how to prepare your agency for security vulnerabilities like Log4J here.