Unless you’ve been living under a rock for the last month, you’ve definitely heard the technology community discussing the log4j vulnerability known as log4shell. If you have been living under a rock, feel free to catch up here. The danger of the vulnerability has been well covered, from the pervasiveness of the library in organizations worldwide to its ease of exploitation. It’s the type of bug whose full ramifications we may not understand for years.
There have been no shortage of hot takes on the issue, most of which surround the question ‘who is at fault?’. Is it the volunteer 16 person logging services team at Apache Software Foundation? Is it the companies that make millions of dollars using open source code in their software but don’t make financial contributions to the maintenance of those open source components? What about the current lack of federal regulation surrounding the software supply chain?
The answer is probably some level of shared responsibility. Large corporations profiting off software built using open source components should consider making financial contributions to make sure that there is full time availability to maintain the open source projects they use within their applications. On a regulatory level, this does help bolster the case for making a software bill of materials mandatory. Whether intentional (SolarWinds) or unintentional (Log4j), threats to software supply chain security are a very important issue that should require some kind of federal oversight.
If you know an IT security professional, give them a hug. They have had a very busy month staying on top of this issue.