Modern applications rely on open source components for up to 90% of their code, creating a vast attack surface dominated by inhemalicious supply chain injections. High-profile incidents like Log4j and the sabotage of colors.js highlight that traditional scanning often fails to detect sophisticated “protestware” or dependency confusion, necessitating 19 practical controls focused on strict intake governance, dependency pinning, and behavioral monitoring to secure the development lifecycle.
Still Running Vulnerable Log4j Instances?
The Log4j exploit was discovered in December 2021, and by now, it should have been resolved. However, it persists.
What the New OWASP Top 10 Changes Mean to Devs
The open web application security project (OWASP) recently updated its top 10 list of the most critical security risks to web applications after four years. It represents the most radical shake-up since the list was introduced in 2003. The changes will undoubtedly have a big impact on how businesses address application security going forward and […]
4 Reasons Software Developers Need a Bill of Materials
The recent Log4j/Log4Shell vulnerability was a wake-up call that threats aren’t going to wait until the industry gets up to speed on software supply chain security. While the Log4j open source component vulnerability caught us all off guard, it did highlight the need for software vendors to be more proactive in disclosing the composition of […]
How to Mitigate Software Supply Chain Risks
As new vulnerabilities are discovered on a daily basis, DevOps teams must integrate security into the early stages of the development lifecycle and be vigilant about what elements are incorporated into their applications. The Log4J vulnerability has dominated the headlines since it was discovered in December and it continues to send shock waves through the […]
How Log4j Becomes a Serious DevOps Problem
The recent discovery of the Apache Log4j vulnerability has wide-ranging implications for anyone who develops software, especially for those in the DevOps realm. What’s most troubling about the vulnerability (CVE-2021-44228) is how prevalent the use of Log4j is. The vulnerability is reported in a vast array of applications and directly impacts numerous Apache projects, including […]
Log4j: It’s All About the Supply Chain, Baby!
In 2021, the security story in DevOps and DevSecOps has been the supply chain. So, it’s only fitting that we are currently experiencing the mother of all supply chain issues with the Log4j Log4Shell RCE vulnerability to close out the year. I won’t waste your time rehashing what Log4j is, why it’s so dangerous and […]
U.S. Govt. CX EO | Mozilla Revenue | Log4j Latest
In this week’s The Long View: Improving U.S. government CX, how much money Mozilla makes, and the latest on the Log4j/Log4Shell débâcle.
