Explaining software features is important and in some cases, logs are not enough. This has been the case with Log4j which was recently patched to include a tool for developers to explain what each log contains. While it’s still early days, companies like IBM might be pushing this concept forward by using their own system as an example of how other systems work.
A new tool called “Push to Explain” has been released on GitHub. The tool is designed for software developers, who want to explain what their software does in a more accessible way.
Officials and researchers believe companies need to know what’s inside their equipment to protect it from hackers and avoid the sort of turmoil saw at the end of 2021 as a result of a weakness in the free, widely used Log4j software.
The early December disclosure of the weakness, which enables hackers to easily penetrate computers, caused corporations to race to upgrade their systems and avert strikes. Many security teams had to first determine if their software supported Log4j, an open-source tool for recording user activity and then reviewing them. Some firms are still looking for the weakness in their software.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
“It’s frequently difficult to detect because it’s not as straightforward as running a vulnerability scanner or verifying a product version number,” said Jeff Macko, a senior director in the cyber risk division of consulting company Kroll Holdings Inc. To determine if Log4j or other susceptible open-source components are present, special software analysis techniques are often necessary.
For the next three to five years, Mr. Macko expects to continue dealing with Log4j issues, according to him.
This lack of visibility into the inner workings of corporate software has reignited interest in an old idea: compiling a comprehensive list of what’s within software packages, including whether open-source components were employed during development. While such components are widely utilized, open-source projects are sometimes maintained by a small group of volunteers and are seldom reviewed by security professionals, leaving a company’s systems vulnerable to attack.
The US Cybersecurity and Infrastructure Security Agency has encouraged the creation of such an inventory, known as a software bill of materials, or SBOM, as a method to reduce the time it takes to react to emerging vulnerabilities. In accordance with President Biden’s May 2021 executive order on cybersecurity, the Commerce Department is also a supporter, creating instructions on how to create such an inventory.
Jen Easterly is the director of CISA.
Michael Brochstein/Zuma Press/Zuma Press/Zuma Press/Zuma Press/Zuma Press
The Log4j vulnerability, according to CISA Director Jen Easterly, “underscores the need of creating software securely from the outset and more widespread usage of Software Bill of Materials,” she said in a statement last month.
It may be tough to create an SBOM that covers all of a company’s technologies. Large enterprises, such as banks, may have hundreds of legacy apps, making it difficult to search through each one for open-source components.
“To be honest, legacy software without an SBOM is like a 1920s can of food without an ingredient label.” “Consume at your own risk,” said Sounil Yu, the chief information security officer of JupiterOne Inc., a cybersecurity firm located in Morrisville, N.C.
Companies that can supply SBOMs, according to Mr. Yu, who was formerly the top security scientist at Bank of America Corp., “show a sophisticated software-development process.”
Client security teams are unlikely to tolerate extended delays for vulnerability notices from their suppliers while they figure out what’s within their products, he added, so software vendors are going to face tremendous pressure to issue SBOMs. In the instance of Log4j, IT companies scrambled to provide fixes and alert consumers about the weakness in their own products.
More From Cybersecurity WSJ Pro
According to Tim Mackey, chief security strategist at Synopsys Inc., a Mountain View, Calif.-based software-testing business, companies have two main choices for detecting whether the software they employ has open-source components. If the source code is accessible, open-source libraries for common components may be compared. Alternatively, the program may be deconstructed to find its components using a binary analysis procedure, albeit the results may not be as apparent as utilizing the source code.
Still, customized software initiatives produced by teams outside a company’s technology division, according to Mr. Mackey, might make it more difficult to create complete SBOMs since they may not go through the regular checks and balances or even be known to technology workers.
Mr. Macko of Kroll cautioned that component inventories would not be able to compensate for intrinsically inadequate security. Implementing network security that monitors unusual application activity and adhering to basic cybersecurity hygiene can assist to reduce the effect of assaults.
“It’s excruciating that we have to learn our lessons by first receiving a bloody nose,” he remarked.
James Rundle can be reached at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Related Tags
- what is software engineering
- software developer jobs
