Skip to main content
close search
site logo
Dive Brief

Log4j highlights ongoing cyber risk from free, open source software: Moody's

Published Feb. 11, 2022
David Jones's headshot
Reporter
Communication network concept. GUI (Graphical User Interface).
metamorworks via Getty Images

Dive Brief: 

  • Security flaws in free and open source software (FOSS) will be a recurring source of cyber risk, Moody's Investors Service found. It could take organizations three to five years to fully resolve issues related to the Log4j vulnerability.
  • Certain industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody's partner on cyber issues. The telecommunications industry trails other sectors, remediating only 29% of critical vulnerabilities within 90 days. The legal industry, with the quickest response time, remediated 68% of critical vulnerabilities in the same time frame.
  • The use of FOSS can save organizations considerable time and funding. But issues remain about the lack of financial support and, due to the voluntary participation of many contributors, developers experience high levels of burnout.

Dive Insight:

Two months after the initial disclosure of the Log4j vulnerability, companies across the nation still grapple with long-term cybersecurity concerns. 

Open source projects are critical components of the software that major industries use every day, according to Leroy Terrelonge, vice president and senior analyst in the cyber risk group at Moody's. 

"That's a really big weakness in our current system," Terrelonge said. "That only the biggest and most well-resourced organizations can afford to pore over code."

Open-source flaws can linger. Moody's noted a case in January where researchers discovered a 12-year-old vulnerability in devices running on Linux. 

The Biden administration has been working with private industry to secure the software supply chain. National Institute of Standards and Technology unveiled guidance this month outlining a process for software producers to attest the use of secure software development practices to help strengthen the supply chain. 

Experts are calling for additional investment in open source to help secure the software supply chain. Measures like a software bill of materials could help industry uncover vulnerabilities more quickly, though it won't prevent them, said David Nalley, president of the Apache Software Foundation, who testified to a Senate committee this week

While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.

"However, the mistake is to assume that you can grab an open source library and then never look at it or update it again," Carielli said via email. "Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it's a blip on the radar and can be remediated with practiced upgrade procedures."

The Moody's report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell