The threat posed by the remote code execution (RCE) vulnerability in Log4j is to potentially enable an attacker to remotely access and control devices. None of this is to minimize how bad the situation is for security teams and how much worse things could get in the event of an exploit. “But five years ago, it would have been a lot worse.” ‘Long tail’ vulnerability
Regardless, “we’ll be seeing this vulnerability for the rest of our careers in all the nooks and crannies of our IT footprint,” Dabirsiaghi said. It’s not even the default library in some major frameworks anymore.” “For a long time, the only thing we used was Log4j. “There’s more heterogeneity in the Java logging space than there was for a long time,” said Arshan Dabirsiaghi, cofounder and chief scientist at Contrast Security, in an email. There does appear to be less reliance on the Log4j Java library now than in the past, as well. So has the use of detection and response capabilities, which could be crucial for uncovering threats in a situation like this. On top of that, automation technologies for scanning open source code, such as software composition analysis (SCA), have found growing adoption in recent years. “What’s really happening is, the world’s waking up.” Technological factors And even if they don’t understand it completely, they’re reaching out to someone in technical leadership and saying, ‘I need to understand this better,'” he said. “For me, cybersecurity is finally at a point where the boardroom gets it.
The heightened awareness around cybersecurity has also led to greater buy-in at the corporate leadership level, including in the boardroom, which makes a difference too, Klein said. This one appears to have happened within days.” “Oftentimes, zero day reports can take months to come to fruition from report to release. What we’re seeing is a better situation where the world is finding bug bounties useful, finding vulnerabilities, doing proof of concepts … I’d argue that this is a great example of 2021.”Ĭrucially, the Apache Log4j team “worked overnight in a nearly unprecedented way to understand and turn around a fix on this quickly,” Fox said. “In the past, you literally had zero days that were two years long,” Klein told VentureBeat. Learn how to build, scale, and govern low-code programs in a straightforward way that creates success for all this November 9.
0 kommentar(er)
