What I Learned About the Log4j Vulnerability

I was excited to join Lacework for many reasons, but one of the most important was that it provided me with an opportunity to teach developers about security. Developers complete many different courses and training to prepare them for their careers, but security is often an afterthought. There is a subset of us writing lines and lines of code each day, without the background knowledge to ensure that code is secure.

Youve likely heard the Log4j vulnerability mentioned over the past few days, or seen the memes floating around the internetand if youre like me, or not a Java dev, you may be wondering what it is and why so many people are concerned about it. Distinguished Cloud Strategist Mark Nunnikhoven broke it down in an easy-to-understand 4-minute video, which helped bring things into perspective. Log4j is an open-source library that developers use to help figure out what's going on with their applications that are written in the Java programming language. The reason why youre hearing about it now is because there was a serious security issue and attackers could easily use one of the librarys features to run their code on your systems, and those attackers want to do that to profit from your resources and data. Ive heard so much information about this over the past few daysto narrow it down for you, here the things that I think are most important for developers to know:

1. Youre likely only affected if your projects are written in Java.
2. If you use Java, you should go through your Github repositories and check to see if they include Log4J.
3. Use an open source vulnerability scanning tool to figure out if specific systems are affected. Jfrog released a tool that can help you determine if your code includes Log4j and a script that helps you find where Log4j is within your code.
4. Its important to understand why this vulnerability is a big deal. The attack is so damaging because its constantly changingits not a one-time thing. Even when you think youve resolved it, there are updates to the software and therefore more vulnerabilities and attacks.

We know what it takes to maintain software. Especially during a vulnerability. Our team believes in the power and benefits of open-source softwarewe recently donated to the Log4j project committers and the Apache Foundation to support those maintainers working tirelessly behind the scenes. Hopefully this additional backing, along with the support of other developers and companies who are committed to finding a resolution, will help us reach the end of this challenge sooner rather than later.

If youre interested in learning more about the Log4j vulnerability, this post about the human toll of Log4j maintenance provides a helpful overview and timeline of whats occurred over the past few days.

Join Lacework's DevRel today as we host a Log4j Vulnerability AMA at 10am PT

Lacework

@lacework

Join our #Log4j Vulnerability AMA Twitter Space tomorrow at 10 am PT with Laceworks #DevRel team and security experts to learn about the vulnerability.

twitter.com/i/spaces/1gqxv

11:23 AM - 21 Dec 2021