Log4j vulnerability: Why your hot take on it is wrong

2 years ago 371

Commentary: Those searching for a azygous origin for the Log4j vulnerability – whether it's unfastened root is not secure, oregon unfastened root is not sustainable – are getting it wrong. It's a analyzable issue.

security-concept-1.jpg

Image: your/Shutterstock

Excuse maine if I don't privation to perceive your "hot take" connected the Log4j vulnerability. By each means, springiness maine the details of what happened, arsenic good arsenic how it's impacting companies similar mine. Even better, springiness maine penetration into how I tin trial my servers to spot if I'm safe. 

Just don't blare headlines similar "Open root tin beryllium [an] unfastened doorway for hackers," arsenic the Financial Times did. And don't usage the occupation to commencement banging the drum of "open root sustainability" crises. Open root isn't a information problem, and open root sustainability is simply a analyzable issue. Instead, it's clip to recognize, arsenic Matt Klein, laminitis and maintainer of the Envoy unfastened root project, has done, that "All we tin bash is judge the world of bugs/outages, bash the champion that we tin to mitigate, learn, and improve, and hold for the adjacent one." 

SEE: Patch absorption policy (TechRepublic Premium)

Making information a process

I know, I know! That doesn't marque for breathtaking reading. There's nary smoking gun. No intern to blame. It's just…software. And bundle breaks, is buggy, etc.

As Klein stressed

I've avoided a blistery instrumentality connected the log4j concern due to the fact that frankly I'm bushed of tech blistery takes. However, my not blistery instrumentality blistery instrumentality is that bugs happen, immoderate of them precise bad, and they hap for a acceptable of analyzable reasons. Complaining astir the villain of the time ([open source] funding, representation safety, etc.) is simply a reddish herring, and over-focusing connected 1 origin leads to nary existent improvement. We are each quality and juggling a upland of constraints; it's a occurrence that tech works 1% arsenic good arsenic it does." 

But…what astir the information that seemingly the Log4j maintainers whitethorn not beryllium paid to bash that work? That whitethorn oregon whitethorn not beryllium true, but it's besides somewhat immaterial, arsenic Red Hat's Andrew Clay Shafer argued: "[P]aying [open source] maintainers afloat competitory bundle salaries would person a negligible interaction connected preventing log4j similar information issues." On its look this sounds wrong, but see his follow-up: "[H]ow overmuch wealth person banks spent connected 'security' since 2013? [W]hile moving log4j successful prod the full time? [H]ow galore undiscovered exploits are successful prod astatine your slope close now?"

He has a point. A bully one. 

Even the astir afloat funded bundle has bugs, information holes, etc. We tin perfectly bash better, but nary bundle – unfastened root oregon proprietary – is immune from flaws. Sure, it mightiness marque the maintainers consciousness amended to beryllium paid portion they're yelled astatine to "FIX THIS NOW!" but determination are immoderate (like Beka Valentine) who would reason that reducing each unfastened root sustainability to a question of wealth unwittingly takes distant immoderate of its top strength: developer passion. 

SEE: NIST Cybersecurity Framework: A cheat expanse for professionals (free PDF) (TechRepublic)

Indeed, connected this point, Ruby connected Rails laminitis David Heinemeier Hansson declared that "I won't fto you wage maine for my unfastened source." Why? "Open source, arsenic seen done the altruistic lens of the MIT acquisition license, has the powerfulness to interruption america escaped from this overly rational cost-benefit investigation bulls--- that's impoverishing our lives successful truthful galore different ways." In different words, helium wants radical to lend if it gives them joy, and helium doesn't privation to consciousness beholden to bash thing with the task that doesn't besides bring him happiness. Introducing wealth makes unfastened root common, successful his view.

Regardless of whether you agree, and coming backmost to Shafer's point, we won't magically escaped Log4j oregon immoderate unfastened root (or proprietary) bundle of bugs simply by throwing wealth astatine them. That's not the magic of unfastened source. No, security is simply a process successful unfastened source, not thing you get by licensing codification nether an unfastened root license. I tweeted successful December 2020: "Not that unfastened root is inherently much secure, but alternatively it's an inherently amended process for securing code."

By each means, let's guarantee unfastened root contributors are paid (or not, pursuing the reasoning of DHH and Valentine), but let's not observe our silly blistery takes that effort to trim the Log4j occupation to 1 thing. Security is complicated. Software is complicated. But unfastened source, by making the bundle and surrounding processes permeable, accessible, improves information (or can), alternatively than degrading it.

Disclosure: I enactment for MongoDB, but the views expressed herein are mine.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article