The last few months have seen a flurry of activity around improving cyber security and the overall health and safety of the open source software supply chain.
Quick recap: Back in May of 2021, the White House released executive order 14028 to improve the nation's cybersecurity—and a few weeks ago, in early January 2022, the FTC published a warning about remediating the zero-day vulnerability in the Log4j open source component.
This latest FTC warning means that if your organization doesn’t take proactive steps to prepare for future vulnerabilities like the one at the center of Log4Shell, then you risk not only the direct damage to your business from resulting hacks or data breaches, but also direct enforcement actions by the FTC (which in the case of Equifax resulted in a $700m settlement) and other US federal enforcement agencies.
Now, more than ever, organizations need to significantly improve their open source management practices—ensuring visibility for key stakeholders and building a comprehensive risk mitigation plan that helps improve the health and security of the open source software supply chain.
We were in the midst of creating a detailed guide to managing open source when the Log4Shell news broke. The guide outlines the challenges related to building applications with open source components, and provides a path to effectively managing open source components.
The Log4Shell incident gave us a high profile opportunity to work closely with all of our customers on timely remediation. We received glowing feedback, like this comment from one customer:
“Our security team is currently assessing the scope of Log4j usage. They were able to use the OSS inventory report as a starting point. We are so fortunate to have a tool like Tidelift that gives us insight into OSS usage across [the org].”
You can read the complete guide via this link, but here are the bits especially relevant in today’s post-Log4Shell environment:
First, let’s start with a question: how are most organizations managing their open source today? We’ve found organizations fall into one of two buckets:
- The move fast, distributed approach: This is good for developers, giving them the freedom to bring in new open source components as needed. While this approach removes development roadblocks, it also creates sprawl and a lack of visibility that hinders speedy remediation of licensing, maintenance, and security issues…like Log4Shell.
- The stay safe, centralized approach: This approach minimizes organizational risk as organizations tightly control open source usage. While this leads to enhanced safety, it also hampers development and often impacts the competitive race for delivering products and services.
Is there an approach to managing open source that provides your organization a way to move fast and stay safe? Yes! Tidelift recommends organizations implement a comprehensive approach to managing open source that allows them to move fast and stay safe when building applications using open source.
Typically organizations implementing this approach move through four phases, getting more and more sophisticated in their management practices over time:
- Phase 1: Understand. Organizations should begin by getting better visibility into the open source components already in use.
- Phase 2: Design. Next, organizations should define centralized standards and policies for security, maintenance, and licensing for open source.
- Phase 3: Build. At this stage, organizations can start paying down technical debt by eliminating open source components that do not align with the standards and policies that have been implemented and start proactively pre-vetting and approving new open source components based on their standards and policies.
- Phase 4: Transform. Finally, the organization is able to manage open source at scale with all development teams aligning their applications to approved repositories and centrally managing and vetting requests for new components.
The guide provides additional details about how to effectively manage open source, including how Tidelift can help your organization through the process. You can read the complete guide here.
Want more resources on Log4Shell? You can check these out below:
- Jeremy Katz details the situation in this Tidelift advisory, sharing what you need to know and do if your organization depends on Log4j. Spoiler alert: if you’re building code with Java, your organization depends on Log4j.
- Watch this 20-minute on-demand webinar, where Mark explains what you need to know about the Log4j vulnerability—and how Tidelift can help.
- Or check out this longer, more detailed webinar where Mark compares the infamous Heartbleed vulnerability to Log4Shell.
- In this Tidelift briefing, Mark breaks down the situation step-by-step.
- Tidelift co-founder Luis Villa discusses how the whole Log4Shell situation really highlights the need to proactively work with maintainers at scale.
- Forrester analyst Sandi Carielli and team explain how organizations mitigate future vulnerabilities using software bill of materials and open source management strategies.
- Finally, if you want to check if your applications contain Log4j, you can generate a free software bill of materials with the Tidelift Subscription free trial.