Long-term Impact of Log4J

OWASP FOUNDATION
TM
The Long-Term Impact of Log4j
Dan Cornell
@danielcornell
VP Product Strategy, Coalfire

OWASP FOUNDATION owasp.org
Bio
• Developer by background
• OWASP Global Membership
Committee (long time ago)
• OWASP San Antonio Chapter Co-
Lead
• Founder/CTO at Denim Group
• VP Product Strategy, Coalfire

Agenda
• Log4j background
• Short-term impacts
• Predicted medium/long-term impacts
• SBOMs
• Upgrade or remove
• Questionnaires
• Questions

Log4j Background

Log4j Background
• Other presenters from today’s
event
• Also resources from the folks at
Jemurai (slides, video)
• https://jemurai.com/2021/12
/15/log4j-security-issue/

Short-Term Impacts
• Christmas: ruined
• This happens in InfoSec every
year…
• Lot of scrambling
• What applications do we have
using log4j?
• Which of them are exploitable?
• How do we upgrade?
• Wait a minute – what applications
do we have – just in general?!

OWASP: Here to Help
• What applications do I have?
• OWASP Amass https://owasp.org/www-project-amass/
• Attack surface detection and management
• Of those applications, which are vulnerable?
• OWASP ZAP https://www.zaproxy.org/
• Web proxy and DAST scanner
• OWASP ZAP and Log4Shell https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/
• OWASP ZAP detecting Log4Shell https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/

Predicted Medium/Long-Term Impacts
• Thesis: The Log4j vulnerabilities will further accelerate some
previously-emerging trends in vendor security management
• SBOMs
• Upgrade or remove
• Questionnaires
• See this blog post for more info:
• https://www.coalfire.com/the-coalfire-blog/the-long-term-impact-of-log4j

SBOMs – Literally the Least We Can Do
• SBOM = Software Bill of Materials
• What is included with this software I am deploying?
• Being able to articulate what is in software you have people deploy is
• Literally
• The
• Least
• We
• Can
• Do

• We have seen this from sophisticated shops for a couple years
• Usually a list of open-source components and versions in an Excel sheet
• Easy to generate – IF you are running an SCA tool or other utilities
• Biden Executive Order on Improving the Nation’s Cybersecurity also
mentions SBOMs
• https://www.whitehouse.gov/briefing-room/presidential-
actions/2021/05/12/executive-order-on-improving-the-nations-
cybersecurity/

• Van Halen Concert Rider: No Brown M&Ms
• https://www.entrepreneur.com/article/232420
• Why?
• When you’re a rock star you can do crazy
stuff? Maybe, but…
• If nobody read the contract rider close
enough to know to remove brown M&Ms,
what else did they forget/ignore?
• So what about vendors who can’t/won’t produce
SBOMs?
• What else is all %$&^’d up?

SBOMs for Software Producers
• Expect increasing requests for SBOMs
• Expect increasing scrutiny on the contents of SBOMs
• Augment your tooling and development practices accordingly

SBOMs for Software Consumers
• Start asking for SBOMs
• You got a bunch of SBOMs – now what?
• Need to deploy tooling to manage them and monitor their status
• Need to develop practices in place to deal with alerts

OWASP: Here to Help
• CycloneDX https://cyclonedx.org/
• Standardized data format for SBOMs seeing great adoption
• OWASP DependencyTrack https://owasp.org/www-project-dependency-track/
• Platform for managing SBOMs across your application portfolio

No Risk Assessments – Upgrade or Remove
• SCA tools have traditionally only flagged the
presence of vulnerable versions of
components
• Flags a lot of non-issues, can be very
disruptive
• SCA tool augmented to characterize the usage
of vulnerable components
• Great because this helps to better
prioritize upgrades
• Expect software consumers to not care
• “Get to a known non-vulnerable version
or remove the component”

“No Risk Assessments” for Software Producers
• Prepare to come armed with better data on exploitability
• “Trust us” will be a less compelling argument
• Evaluate how you handle technical debt from open-source
components
• Incredible opportunities for automation
• Some SCA vendors are providing automated “patches”
• Your CI/CD pipeline should be able to validate builds
• Fix stuff in the background until something breaks – only focus on the hard
stuff

“No Risk Assessments” for Software Consumers
• Be realistic, consistent, and clear about what you require
• (But if everyone is a jerk then the industry will advance faster)

OWASP: Here to Help
• Using Vulnerability Exploitability eXchange (VEX) with CycloneDX
• https://cyclonedx.org/capabilities/vex/
• Purpose of VEX: Do the included vulnerable components actually expose the
software to exploitation?
• More info on VEX https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms
• Good luck!

MOAR Bigger Questionnaires!

MOAR Bigger Questionnaires!
• Vendor security management has been a
thing for some time
• With questionnaires being the primary
tool of the trade
• Questionnaires use for vendor security
management are going to get ROUGH
• Greater scope – more topic areas
including application security practices
• Greater depth – more invasive and
specific questions

Questionnaires for Software Producers
• Build a library of answers that can be reused and repurposed
• Have a regular cadence of updating and maintaining
• Remember: “Business lying is fraud”

Questionnaires for Software Consumers
• Rely on standardization wherever possible
• Your organization is not a special snowflake
• Makes the process more efficient all-around
• Be clear on your criteria and decision-making process
• What is required and what is nice-to-do for different types of software?
• If everything is “most important” then nothing is important and you will get
data that is not helpful in evaluating risk

OWASP: Here to Help
• OWASP SAMM – Software Assurance Maturity Model
• https://owasp.org/www-project-samm/
• How mature are application security practices for a product team?
• OWASP ASVS – Application Security Verification Standard
• https://owasp.org/www-project-application-security-verification-standard/
• What level of security inspection has been performed on a release of a
software application and what vulnerabilities were identified?

Other Resources: Software Supply Chain
• BlackHat CISO Forum 2021
• Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain
Security
• Conference slides https://www.slideshare.net/denimgroup/threat-modeling-
the-cicd-pipeline-to-improve-software-supply-chain-security-blackhat-ciso-
summit-2021
• ”Raw” slides: https://www.slideshare.net/denimgroup/threat-modeling-the-
cicd-pipeline-to-improve-software-supply-chain-security-raw-slides
• RSA Security
• Coming up in June
• Specific agenda TBD https://www.rsaconference.com/experts/Dan%20Cornell

Questions
Dan Cornell
daniel.cornell@coalfire.com
@danielcornell

Long-term Impact of Log4J

More Related Content

What's hot

Similar to Long-term Impact of Log4J

More from Denim Group

Recently uploaded

Long-term Impact of Log4J