Log4Shell Reinforces Need to Prioritize Software Supply Chain Security

Recently discovered and widely reported, the Log4J vulnerability(Log4Shell) affects millions of applications written in Java. Developers have extensively used Log4J as a logger for debugging, reporting and analytics during code development and execution. The Log4J library is widely used, particularly in environments where Apache components are deployed.

About the Log4J Vulnerability

The Log4J vulnerability also goes by the moniker of Log4Shell. It was reported on December 10, 2021, for Apache’s Log4J Logging Framework. The enumeration CVE-2021-44228 has been assigned in the NVD (national vulnerabilities database). 

To exercise the Log4Shell vulnerability, a threat actor creates a malicious payload as a specific string in code that is logged. This payload can infiltrate a targeted server to install malware or trigger other code previously deployed to execute undetected. Such strings can also be introduced as login parameters or embedded in email. They can then cause the malware to be deployed and propagated. The result can lead to elevation of privileges and many other effects.

According to reports from observers, attackers have already exploited the vulnerability to install block chain crypto mining tools on vulnerable systems, steal system credentials, traverse corporate networks, and exfiltrate data.

A Reminder to Focus on Software Supply Chain Security

A comprehensive software supply chain strategy can include various best of breed application security solutions. The key is determining the risk from vulnerabilities present in code. Here are some steps that organizations can consider as they are building out a security strategy related to their software:

  • Define your organization’s overall risk strategy with links to enterprise risk OKRs
  • Map risk and security considerations to help prioritize software development activities
  • Promote security awareness for AppSec and Development team members with emphasis on secure software development, API Security, and DevSecOps practices.
  • Establish an understanding of risk-based security and how to track risk
  • Enforce security standards for sourced third party and open source software components 

For software supply chain risks specifically related to code development, the software development environment should include:

  • Static and Dynamic Code testing analysis of software under development and deployed through the CI/CD process
  • Software Composition Analysis to identify components that are internally developed versus third-party produced or open source
  • Steps to secure APIs and any integration points between software providers
  • Provisions for a software bill of materials (SBOM) to track direct and indirect references to software components
  • Adopt a risk-based code security platform to prioritize and address code risks in three key areas:
    1. Presence of high risk content in code (secrets in code, PII and non-inclusive language)
    2. Risks due to misconfigurations of Git repositories and infrastructure as code (IaC)
    3. Nonconformance with access and identity governance best practices

BluBracket’s Code Security Solution

BluBracket delivers the ability to augment existing security tools with the most comprehensive and complete platform to manage and mitigate code related risks. BluBracket provides the most effective code security solution to secure developer environments. Developers can identify and mitigate key risks across the entire CI/CD pipeline while maintaining speed and agility. BluBracket’s coverage of risk includes:

Secrets in Code: secrets in code exist as artifacts that an app uses to connect to an external service, account, or application. Secrets used by developers include API keys; encryption keys; OAuth tokens; certificates; and passwords. BluBracket for secrets in code, alerts on them and then provides a means to eliminate the risk. 

Personally Identifiable Information (PII): organizations have various policies governing the use, storage, and disposition of PII. Some examples are social security numbers, credit card numbers, date of birth etc. In certain industries there are strong regulatory mandates with huge penalties for failure to protect this data. BluBracket can block such data from being exposed. 

Infrastructure as Code (IaC): helps with the managing and provisioning of compute infrastructure and cloud services using (software) configuration files. Misconfigurations in IaC scripts can lead to serious disruptions. BluBracket can identify misconfigurations in IaC prior to deployment.

Access and Identity: as code is cloned and proliferated via Git repositories, it becomes difficult to identify the owners of the code, the collaborators, and the interlopers. BluBracket allows developers and AppSec teams to discover who has access to code repositories.

Code Leaks: Developers sometimes unknowingly place company IP at risk when they share code sections or commits on to public Git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe. 

Compliance with Git Configuration Rules: Git misconfigurations can result from insecure default configs, incomplete or un-patched applications etc. BluBracket looks across hundreds of software components, libraries, and application frameworks for vulnerable misconfigurations.

Identifying Non-Inclusive Language: In keeping with current times and developer’s desires to further the tech industry to remove insensitive racial or gender bias in words that we use in our code, BluBracket scans to identify such terms and delivers options to remediate.

About BluBracket

BluBracket is the most complete code security solution that enables developers to effectively identify and remediate risks within their software development environment across code repositories, infrastructure as code and cloud environments. With BluBracket, organizations can shift left by enabling developers to address security at the very start of the development pipeline.

Share this post!