In an ideal world, all open source software would be permanently reviewed to prevent security breaches. But the reality is different, so much so that the matter caught the attention of the US government: after a serious vulnerability in Apache Log4j, the White House met with technology companies to address the issue. Google is one of the companies most engaged in the cause.
The subject really deserves attention, after all, open source software is used all over the world, both by individuals and by organizations of different sizes. You already know the reasons for this: the open nature allows these projects to be improved or adapted by any interested party; they are free and it is relatively easy to find support from the community.
But there’s a downside: some open source systems are so popular — particularly on the internet — that any security flaw identified in them has the potential to cause “widespread panic.” The case of Log4j is a good example.
Log4Shell: The Vulnerability in Log4j
Log4j is the name of a widely used tool, mainly in online systems. It allows the recording of events of various types in the system. A simple example: when you access a website and come across a 404 error message, this information can be recorded in a log file by Log4j and, along with other events, analyzed by an administrator.
Log4j is open source and part of the Apache Logging Services, a project of the Apache Software Foundation. It is such a popular tool that it is even present in systems from companies such as Google, Microsoft and Twitter.
In December, the Log4j image was affected by the discovery of a serious security flaw. Identified as CVE-2021-44228 and called Log4Shell, the issue left so many servers vulnerable that it caused distress to IT teams around the world and drew scrutiny from authorities, particularly in the United States.
Log4Shell manifests itself in a feature that allows the user to define custom messages in log files. Basically, this loophole allows malicious code to be executed remotely to, among other actions, capture sensitive information and spread malware.
It is possible to solve the problem. However, there is no single fix for Log4Shell as it depends on how Log4j was installed and configured. That means thousands of servers could still be vulnerable.
Open source has become a matter of “national security”
Serious as it is, the vulnerability in Log4j flashed a warning light. At the meeting held at the White House on Thursday (13), representatives from giants such as Google, Facebook, Microsoft, Amazon and Apple recognized the need for security in open source to be treated with more priority, so to speak.
Google’s positioning draws attention. In its official blog, the company explains why the matter deserves attention:
For a long time, the software community has taken comfort in the notion that open source software is generally safe due to its transparency and the assumption that “many eyes” are watching and solving problems. But the fact is, while some projects have a lot of eyes on them, others have few or none.
Apparently, the US government agrees with this perception. At the meeting, Jake Sullivan, US security adviser, hinted that the matter must have been treated as a “key national security issue.”
What happens from now on, then? It is not clear. bad the fact that big techs and the United States government itself to pay attention to the matter indicates that changes are really coming.
The truth is that a lot can be done for the sake of open source security. Financial support would be a good start. Google appears, again, as an example: the company claims that, in 2021, it directed US$ 100 million to support independent software organizations, including OpenSSF, which deals precisely with open source security.
With information: Gizmodo, The Conversation.