<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

How to prepare your organization for the next Log4Shell

Kanish Sharma
by Kanish Sharma
on February 1, 2022

Don't miss the latest from Tidelift

The last few months have seen a flurry of activity around improving cyber security and the overall health and safety of the open source software supply chain. 

Quick recap: Back in May of 2021, the White House released executive order 14028 to improve the nation's cybersecurity—and a few weeks ago, in early January 2022, the FTC published a warning about remediating the zero-day vulnerability in the Log4j open source component

Tidelift_LinkedInAds-01-1This latest FTC warning means that if your organization doesn’t take proactive steps to prepare for future vulnerabilities like the one at the center of Log4Shell, then you risk not only the direct damage to your business from resulting hacks or data breaches, but also direct enforcement actions by the FTC (which in the case of Equifax resulted in a $700m settlement) and other US federal enforcement agencies.

Now, more than ever, organizations need to significantly improve their open source management practices—ensuring visibility for key stakeholders and building a comprehensive risk mitigation plan that helps improve the health and security of the open source software supply chain. 

We were in the midst of creating a detailed guide to managing open source when the Log4Shell news broke. The guide outlines the challenges related to building applications with open source components, and provides a path to effectively managing open source components.

The Log4Shell incident gave us a high profile opportunity to work closely with all of our customers on timely remediation. We received glowing feedback, like this comment from one customer: 

“Our security team is currently assessing the scope of Log4j usage. They were able to use the OSS inventory report as a starting point. We are so fortunate to have a tool like Tidelift that gives us insight into OSS usage across [the org].” 

You can read the complete guide via this link, but here are the bits especially relevant in today’s post-Log4Shell environment:

First, let’s start with a question: how are most organizations managing their open source today? We’ve found organizations fall into one of two buckets:

  1. The move fast, distributed approach: This is good for developers, giving them the freedom to bring in new open source components as needed. While this approach removes development roadblocks, it also creates sprawl and a lack of visibility that hinders speedy remediation of licensing, maintenance, and security issues…like Log4Shell.
  2. The stay safe, centralized approach: This approach minimizes organizational risk as organizations tightly control open source usage. While this leads to enhanced safety, it also hampers development and often impacts the competitive race for delivering products and services. 

Is there an approach to managing open source that provides your organization a way to move fast and stay safe? Yes! Tidelift recommends organizations implement a comprehensive approach to managing open source that allows them to move fast and stay safe when building applications using open source.

Typically organizations implementing this approach move through four phases, getting more and more sophisticated in their management practices over time:

  1. Phase 1: Understand. Organizations should begin by getting better visibility into the open source components already in use.
  2. Phase 2: Design. Next, organizations should define centralized standards and policies for security, maintenance, and licensing for open source. 
  3. Phase 3: Build. At this stage, organizations can start paying down technical debt by eliminating open source components that do not align with the standards and policies that have been implemented and start proactively pre-vetting and approving new open source components based on their standards and policies. 
  4. Phase 4: Transform. Finally, the organization is able to manage open source at scale with all development teams aligning their applications to approved repositories and centrally managing and vetting requests for new components. 

The guide provides additional details about how to effectively manage open source, including how Tidelift can help your organization through the process. You can read the complete guide here.

Want more resources on Log4Shell? You can check these out below:

New call-to-action