Keynote: What Log4j teaches us about the Software Supply Chain

pdf

Abstract

In December of 2021, exploit code for a high-severity zero-day vulnerability was released on GitHub. The exploit targeted a vulnerability in the default configuration of the widely-used log4j library and resulted in many open source and commercial codebases becoming instantly vulnerable. Attacks started immediately and vendors rushed to communicate their vulnerability status and remediation plans to customers.

The resulting industry-wide remediation efforts provide insight into the current state of software supply chain tooling and processes. The results show a stark contrast between companies and projects that have prioritized monitoring and assurance of their supply chains and those that have not. It also highlights the challenges that industry and open source

both face when it comes to rapid remediation of vulnerabilities in open source software. Long transitive dependency chains delay full remediation. Unstable APIs add work to software patching tasks. And malicious open source commits make it risky to automate adoption of the latest library versions.

As the maintainer of Maven Central – the repository that hosts log4j and most other open source Java projects – Sonatype has unique insight into the uptake of patched versions of vulnerable components. This presentation will draw on analysis of this data to discuss behavioral patterns in open source supply chain management. For example, even 2 months after the disclosure of the log4j vulnerability, about 40% of Maven Central log4j download requests are still pulling vulnerable versions.

Sonatype also works closely with enterprises to help them manage their software supply chains, and we will share our observations regarding industry trends and challenges. Many of these observations are based on a survey of industry approaches to supply chain management that we have been conducting annually for the last three years.

This talk will pull together the above content into a presentation targeted at the HCSS community. The goals will be covering relevant background information, providing a summary of the state of the art with respect to industry tooling, and highlighting the open challenges that could benefit from further research and technology development.

Stephen Magill is Vice President of Product Innovation at Sonatype. He’s the former CEO of MuseDev, a software company acquired by Sonatype, and is dedicated to helping developers write their best code through code quality automation.Stephen is a world-recognized expert on program analysis and was previously a principal scientist at Galois. Among his other accomplishments, he earned his Ph.D and M.S in CS from Carnegie Melon and serves on the University of Tulsa Industry Advisory Board.

 

Tags:
License: CC-BY-NC-3.0
Submitted by Katie Dey on