How Much Should the Federal Government Worry About Log4j?

How Much Should the Federal Government Worry About Log4j?

There is an old fable that talks about the circle of life in the plains of Africa where every morning a gazelle wakes up and knows that it must run faster than the lion or it will be eaten.  The current Apache log4j remote shell execution (RCE) exploit that is playing out during the writing of this blog post is a stark example of how that fable has some truth to it.  I think a more realistic truth would change the gazelle’s logic slightly to say that it doesn’t necessarily have to outrun the fastest lion, but rather the slowest gazelle.  Joking aside, speed is a big factor in your open source software (OSS) risk management and that is why achieving a high level of competency in DevSecOps and maintaining a secure software supply chain that makes your risk visible in all stages of your software lifecycle is key.  So the answer in this writer’s opinion is that the Fed should be very, very worried about log4j indeed.

Article Link: How Much Should the Federal Government Worry About Log4j?