Open Source Vulnerability Leaves Organisations Open To Hackers
Open source software has plenty of benefits but without software maintenance and support contracts the risks and costs can build up quickly as seen through the current Log4J Vulnerability writes Envitia's CTO, Richard Griffith
The Apache Log4J vulnerability is causing havoc right now for many in the technology sector. The software itself is a widely used open-source Java library implemented in millions of corporate products and solutions across the globe so tech companies such as Amazon, Microsoft and IBM have been franticly issuing patches and devising workarounds with their customers.
Apache Log4J is an open source foundation component. It’s a fantastic logging application to help software developers diagnose what an application is doing. It’s also something an end user would never know was in software but, without it, many a developer would be left helpless.
Open-Source components like Log4J allow software developers to re-use existing solutions rather than reinvent the wheel. They are designed to be reused, shared, modified quickly and easily. This means a more efficient and cost effective solution for the customer. However, this is where the danger arises and is under appreciated by non-techies so, whilst open source software has many advantages, there are also risks, particularly as the security landscape is constantly evolving and software never stands still.
These risks are mitigated through support & maintenance contracts so that the quality of the software remains high and it is well-maintained, kept up to date and current. All too often it is easy to write-off support as the insurance policy that’s not needed when the software does what is needed today. We all know that there’s always pressure to reduce the overall project costs. However, this particular vulnerability has shown that software can become an issue overnight and an expensive one at that. No one wants insurance until they need it.
The digital world is full digital miscreants that want to exploit any vulnerabilities for their own financial gain. In an alert issued just two days after the exposure of the Log4J vulnerabilities, the National Cyber Security Centre (NCSC) have stated they are aware of exploitation attempted globally, including the UK, and these hackers are quicker than most organisations can react.
There are going to repercussions the world over for the vulnerabilities that Log4J has exposed and for people without support agreements there are going to be some costly decisions to be made.