Log4j highlights continued cyber risk of free and open source software: Moody’s


Diving Brief:

  • Security vulnerabilities in free and open source software (FOSS) will be a recurring source of cyber risk, Moody’s Investors Service find. It could take three to five years for organizations to fully resolve issues related to the Log4j vulnerability.
  • Some industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody’s cyber issues partner. The telecom industry lags other industries, remediating only 29% of critical vulnerabilities in 90 days. The legal sector, with the fastest response time, fixed 68% of critical vulnerabilities in the same time frame.
  • Using FOSS can save organizations a lot of time and money. But issues remain regarding the lack of financial support and, due to the voluntary participation of many contributors, developers are experiencing high levels of burnout.

Overview of the dive:

Two months after the initial disclosure of the Log4j vulnerability, businesses nationwide are still grappling with long-term cybersecurity issues.

Open source projects are essential components of the software that large industries use every day, according to Leroy Terrelonge, vice president and senior analyst of the cyber risk group at Moody’s.

“It’s a very big weakness in our current system,” Terrelonge said. “That only the largest and best-resourced organizations can afford to look into code.”

Open source flaws may persist. Moody’s noted a case in January where researchers discovered a 12-year-old vulnerability in devices running Linux.

The Biden administration has worked with private industry to secure the software supply chain. National Institute of Standards and Technology unveiled guidelines this month outlining a process for software producers to certify the use of secure software development practices to help strengthen the supply chain.

Experts call for additional investments in open source to help secure the software supply chain. Measures such as a software bill of materials could help the industry discover vulnerabilities faster, though it won’t prevent them, said David Nalley, president of the Apache Software Foundation, who testified before a panel. Senate Committee this week.

While open source helps organizations save significant time and effort on development, security issues need to be considered, said Sandy Carielli, principal analyst at Forrester.

“However, the mistake is to assume that you can grab an open-source library and never look at it or update it again,” Carielli said over email. “Organizations need to improve the management of their open source – understand where it’s being used and automate updates so that when something like Log4j happens, it’s a dot on the radar and it’s can be corrected with proven upgrade procedures.”

The Moody’s report follows a Fitch January Report warning of increased cyber risk from Log4j for public finance entities, including local governments, small utilities and critical infrastructure providers.


Comments are closed.