Log4j vulnerability: the view from US Cyber Safety Review Board
The US Cyber Safety Review Board (CSRB) has published its "Review of the December 2021 Log4j Event" which makes for an interesting read. The report focuses on Log4Shell and other vulnerabilities discovered (and exploited) last year in the open-source Log4J library.
Beyond going over the history of the most impactful vulnerability in recent times, the Board concluded that vulnerable instances of Log4J will remain in systems for many years to come, much like an "endemic vulnerability", as so many systems depend on the Log4j library.
Although the government officials and cybersecurity experts usually tend to paint a pessimistic picture of events, it's encouraging to see them concluding that the Log4J event has resulted in lower level of attacks than expected and predicted by the security industry. This means the cyber infrastructure is becoming more resilient.
The CSRB report argues that the Log4j could have been prevented and rightly identifies some key problems that hindered the defense's progress, including the fact that there is no comprehensive 'customer list' for Log4J, or even a list of where it is integrated as a subsystem.
CSRB makes some interesting recommendations: beyond the usual ones such as improving vulnerability management and secure coding practices, the report mentions some possible avenues for future regulation of the software industry, including:
Examine the efficacy of a new mechanism called Cyber Safety Reporting System (CSRS)
Explore a baseline requirement for software transparency for federal government vendors.
Explore the feasibility of establishing a Software Security Risk Assessment Center of Excellence (SSRACE)
Establish a government-coordinated working group to improve identification of software with known vulnerabilities.
It appears CSRB is considering software and cyber infrastructure just like the aviation industry, and it's quite possible this will be the road for future regulation.
Read more at Help Net Security.