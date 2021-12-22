According to cybersecurity experts (including the US CISA), the vulnerability on the log4j library is one of the most serious software defects ever seen and the reason is obvious: it is precisely the software projects managed by volunteers such as log4j that keep the Internet running and their malfunction or, precisely, an unsolved vulnerability, represent an unsustainable risk.

In particular, in the case of log4j, what characterizes the attack that follows from this vulnerability as disruptive, as we have already seen to analyze, it is precisely the ease of exploitation by malicious actors and the infinite popularity that this library has gained over time, all over the world and in all sectors of software development.

The Log4J bug threatens half the internet: here is the urgent fix for companies

The log4j project and open source software

Log4j was born as an open source project by a team of volunteer developers of the Apache Software Foundation who conceived, tested and disseminated it. By disseminating its source code, as the foundation of the open source paradigm, is also freely accessible and modifiable by anyone who needs to implement or customize it for their own needs (not necessarily coinciding with those of those who originally conceived the project).

From CRM to CEM: experience increasingly at the center

And just as the Apache volunteer team releases, on December 18, the third patch for the fix of the last remaining vulnerability so far, CVE-2021-45105 (7.5 on the CVSS severity scale), many with comments , interviews and tweets begin to point out the “dangers” of open source software.

When we highlight the characteristic of a software to be open source, we are precisely identifying the legal relationship on the use of that software by third parties (the contract or more simply the user license).

Of all the licenses, those that exploit the open source paradigm are considered the “most permissive” with respect to the freedoms they offer to third parties with whom they come into contact: first of all, the ability to access, modify, implement and redistribute the source code with which that software was written.

This concept is one of the most significant in the world of technology and software development in favor of a well-being for the community (which decides to use that product) but, historically, it has always been the subject of economic misrepresentations.

What is labeled as open source, in fact, is not always categorized as free. In the common conception, however, it is just like that.

Log4j was conceived as open source and distributed free of charge to anyone who needed it for the development of other projects, all thanks to the voluntary (therefore unpaid) work of people with the skills that log4j required.

Over time the product has spread, has been gradually adopted by the biggest giants of software and technology in general (Microsoft, Google, Twitter and Apple’s iCloud use log4j for their commercial products), without anyone really caring about it.

No one, in the broad panorama of the Internet and web development, has ever been interested (log4j has existed since January 8, 2001) in how this project is maintained, if it were necessary to give a hand to its development, if not to download it, at least to implement it in their millionaire projects and forget about it.

How to protect yourself from the Log4Shell threat

The vulnerability in log4j and the risks of open source

The real problem of cyber security on this vulnerability is not the fact that you can trust or not an open source software: the big real problem is how you can think of basing your work (designed to produce and be profitable) on ” pieces ”of technology offered by the effort of a community, without going into the merits of how that work was carried out, for what purposes it was born and how long it can last as it was conceived.

It has been 20 years since log4j was released: although it was the voluntary fruit of experts, it is certainly not a good idea to think that anyone can “give us” all their knowledge and experience, when needed. serves, always ready and updated for 20 years.

The problem of high global impact that log4j generated with its vulnerability could perhaps have been avoided if a consortium of technology giants (united by the fact that they used it) had put in place, joining their forces (experiential but also economic), to verify at what level of development the library was so widespread in the products used to produce profit.

Furthermore, today we are talking about log4j but it is important to remember the importance of open source in the world of technology. This same problem, in fact, impacts (or could impact in the future) in a large set of applications (or libraries themselves), today the result of voluntary contributions from a community.

The Internet itself was conceived on open source technology, most of the servers hosting the websites we visit are based on open source software (GNU / Linux for the operating system and Apache for the web server).

What we learn from the vulnerability in log4j

Much of the software that runs the routers of our Internet connections is Linux-based, or the core parts of Facebook and Google’s software use open source contributions (Android is a derivative of the GNU / Linux project).

Many programming languages ​​themselves, with which the software we use are written, are open source and finally a whole immense series of libraries useful for the most diverse purposes, just like the case of log4j.

There are also many already virtuous examples of this mechanism just mentioned in which, in fact, certain giants of technology have invested in open source projects, in order to improve their security and keep the development cycle efficient: the popular GNU / Linux Ubuntu distribution is under the protective wing of the private company Canonical Ltd, which with investments and paid personnel monitors its development (although open source and accessible to anyone).

But unfortunately there are also too many and too widespread examples of open source technology, produced voluntarily for the good of a community, implemented in gigantic highly productive projects (in terms of economic gain), without the slightest recognition whatsoever and from which prompt efficiency and safety.

The time has therefore come to rethink the relationship that the greats of technology have in the development cycle of a technological project, taking into account all the parts that come into play, for the cyber security of their infrastructure and of all users.

Reinventing the wheel every time we need to build a car is never a good idea, but researching the invention of the wheel in order to improve it is a must for anyone involved in technological safety.

Find out how to create engagement and keep customers close by making the most of digital

@ALL RIGHTS RESERVED