On Tuesday, Feb. 8, the U.S. Senate Committee on Homeland Security and Governmental Affairs convened a hearing titled “Responding to and Learning from the Log4Shell Vulnerability.” The hearing’s intent was to facilitate discussion of Log4J vulnerability and industry’s response to it, along with the broader topic of software security.
After opening statements from committee chairperson Gary Peters (D-MI) and ranking member Rob Portman (R-OH), four expert witnesses from the private sector made remarks. They were:
- David Nalley (President, Apache Software Foundation
- Brad Arkin (SVP, Chief Security and Trust Officer, Cisco)
- Jen Miller-Osborn (Deputy Director of Threat Intelligence, Palo Alto Networks)
- Trey Herr (Director, Cyber Statecraft Initiative Scowcroft Center for Strategy and Security)
Finally, the hearing concluded with an hour-long Q and A session, where senators asked the expert witnesses a variety of questions about the response to Log4Shell and software security as a whole.
Although the hearing did cover numerous dimensions of software security, this blog will focus on five specific highlights. For more information, you can find a video of the full hearing on the Homeland Security and Governmental Affairs website.
1. Log4J Vulnerability Revelations Come to Light
The U.S. Senate's Log4J vulnerability hearing surfaced several new pieces of information that had not been widely reported.
First, Apache Software Foundation president David Nalley gave a brief overview of how the Log4J feature (released in 2013) that turned into a vulnerability came to exist.
“It was requested by a long-term, well-experienced software developer who was known at Apache,” Nalley said. “The feature was reviewed by a core member of the project management committee and then implemented into the code.”
Expert witnesses were then asked a question that goes to the core of Log4Shell’s impact: Was there evidence that the vulnerability had been exploited prior to the Dec. 9 disclosure — perhaps even dating back to the original 2013 feature release?
Nalley said that he was not aware of any indication that it had. Brad Arkin agreed that the vulnerability had only been exploited recently, though he did report that Cisco’s analysis revealed evidence of an exploit a few days prior to the Dec. 9 disclosure.
“There were some indications of an exploit prior to Dec. 9, but only a week earlier, back to Dec. 2,” Arkin said. “There was no indication that we have of any exploits that went earlier than that.”
Finally, Nalley relayed a less encouraging data point about the use of vulnerable versions of Log4J in the weeks following the Dec. 9 disclosure: As of mid-January, about 30% of Log4J downloads from Maven Central (a popular repository for Java open source components) were of the vulnerable versions. That amounted to about 10,000 downloads of vulnerable versions of Log4J per hour.
2. Open Source Gets an Impassioned Defense
Open source software security has been under the microscope following the Log4Shell exploit, which impacted the open source Log4J library. But, during the hearing, several expert witnesses delivered strong defenses of open source — both the value it delivers to industries far and wide and its security.
Apache Software Foundation president Nalley noted that OSS isn’t just an important part of modern application development — it plays a vital role in fueling global economic growth.
“Open source is not simply a large component of the software industry — it is one of the foundations of the modern global economy,” Nalley said. “Whether they realize it or not, most businesses, individuals, non-profits, or government agencies depend on open source; it is an indispensable part of America’s digital infrastructure.”
Several other expert witnesses argued that viewing Log4Shell through the narrow lens of an open source security problem misses the point.
“Open source is not the problem,” said the Cyber Statecraft Initiative’s Trey Herr. “Software supply chain security issues have bedeviled the cyber policy community for years… In working to improve the security of open source we should not seek to “fix” these (open source) communities, but to become a better partner to them to enable open source developers, maintainers, and consumers to better secure each other.”
Added Cisco’s Arkin: “It is my opinion that open source software did not fail, as some have suggested, and it would be misguided to suggest that the Log4J vulnerability is evidence of a unique flaw or increased risk with open source software. The truth is that all software contains vulnerabilities due to inherent flaws of human judgment in designing, integrating, and writing software. I believe that focusing narrowly on the risks posed by open source software may distract us from other significant areas where we can address security risks inherent in all software.”
3. SBOMs Take Center Stage
Much of the discussion on vulnerability remediation centered around the importance of generating a software bill of materials (SBOM). Senators and expert witnesses pointed to SBOMs as an essential tool to help organizations gain visibility into the composition of their software.
“Tools, like SBOMS, have the potential to help coordinate efforts across the entire ecosystem to make it easier to achieve good outcomes despite the inevitable presence of these vulnerabilities,” said Cisco’s Arkin. “Used correctly, SBOMs can help organizations become more agile. They can highlight the need to use current versions of code and allow us to see the risks we may be carrying with greater clarity. This transparency can facilitate more coordinated ways to collect data and manage vulnerability risks in both proprietary and open source software.”
“For Cisco, the key differentiator (in allowing us to respond quickly) was our improved visibility into the software applications and third-party products that we use as a company.”
Senator Jacky Rosen, a former programmer, added: “I am really excited to hear everybody talking about a software bill of materials. I think this is a critical component to ensuring our future safety. As a former computer programmer, I know from experience software systems do involve complex and sometimes obscure supply chains. As the Log4Shell vulnerability demonstrates, supply chains can provide that point of entry for malicious cyber actors to exploit. To bring transparency to our supply chain and get ahead of the next vulnerability, President Biden’s executive order on improving the nation’s cybersecurity is pushing our federal agencies to adopt a software bill of materials… (SBOMs) can help us react more quickly to new vulnerabilities.”
4. Witnesses Advocate for Defense in Depth
Of course, SBOMs are just one part of a holistic approach to software supply chain security. The expert witnesses also pointed to the importance of tools that automate the identification of software components and support rapid vulnerability remediation (such as software composition analysis).
“SBOMs and other automation tools make it easier and lower the friction for people to have insights into their codebase and what’s happening upstream with the components they rely on,” said Cisco’s Arkin. “This tooling has the potential to take what today requires a lot of human elbow grease and make it an automated process and lower the cost for all involved.
“We strongly recommend the use of tools and technology that allow companies and government agencies to have this kind of visibility into the applications they employ and their maintenance status. “
Witnesses also recommended organizations adopt strategies like DevSecOps and Zero Trust Architecture to account for the realities of today’s threat landscape.
“There’s a need for a shift-left approach (where security testing is conducted earlier in the SDLC) and a shift to Zero Trust Architecture,” said Palo Alto Networks’ Miller-Osborn. “This isn’t solely an open source security problem — this is going to be a software security problem, and no software package, no matter how well-designed, is necessarily going to be perfect.
“We need to shift more to assuming that at any given time, a device on a network could be compromised and then have good deterrents in place with multiple layers of protection so when and if it happens, it doesn’t have an impact on the rest of your network."
5. Witnesses, Senators Call for Increased Government Support
Although large portions of the hearing covered private industry’s response to the Log4J vulnerability, expert witnesses and Senators agreed that the federal government can and should do more to strengthen software security. There was extensive discussion about several strategies — including legislation, increased funding, and programs — that could make a difference.
In their opening statements, Sens. Peters and Portman called for the government to pass new laws, such as the Cyber Incident Reporting Act, to facilitate better information-sharing between the public and private sectors.
Meanwhile, Herr called on congress to approve a new program office inside the Cybersecurity and Infrastructure Security Agency (CISA) dedicated to open source security.
“Open source security should be part of mainstream supply chain security policymaking, and this office would be charged with supporting those efforts while acting as the single point of contact for external stakeholders,” Herr said. “The office would have an important and complementary role to efforts like the Linux Foundation’s Open Source Security Foundation and other industry initiatives, providing long-term perspective, resources, and insights from federal cybersecurity priorities.”
Finally, Palo Alto Networks’ Miller-Osborn offered a strong endorsement of training programs — for individuals of all ages and backgrounds — to help address the shortage of qualified cybersecurity professionals.
“(It’s a good thing to) start when children are younger so they feel comfortable growing up in this field and are interested in it,” Miller-Osborn said. “There are a lot of organizations that look at networking, training, and mentorship to start bringing in people from the field. It starts at the girl's elementary school level all the way through college, (and it continues with) people looking for a second career who want to get into cybersecurity.
“They come into these organizations and can start getting training and mentorship and start learning the skills they need. I think the diversity that’s being created (by offering training for a broad range of individuals) is also critical because that diversity is what makes sure that we’re doing effective analysis. Everyone in the room can’t have the same background or you won’t be able to understand the threats you’re facing from a threat intel perspective.”
The Log4J Vulnerability Resource Center
For more information on the vulnerabilities impacting Log4J and how to remediate them, consider visiting FOSSA’s Log4J Vulnerability Resource Center. You’ll find links to content like:
- Finding and fixing the Log4J DoS vulnerability
- The Log4J vulnerability remediation cheatsheet
- On-demand webinar: An interactive exploration of the Log4J vulnerability