Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Log4j incident response within the community shows collaboration & dedication to security

By Maria Henriquez
sec-vulnerability-freepik1170x658v570.jpg

Image by rawpixel.com via Freepik

July 15, 2022

For the first time, the Cyber Safety Review Board (CSRB) has released a review of the December 2021 Log4j security vulnerability. The report highlights lessons learned, and makes independent, strategic, and actionable recommendations to the Secretary of Homeland Security.


The report reviews the event surrounding the disclosure of the Log4j vulnerability, which impacted virtually every networked organization. While there is no comprehensive list of Log4j users, the open source Java-based logging framework is simple to use, free to download and effective, making it popular among Java developers that have embedded it and other additions into thousands of software packages.


Based on observations, CSRB says, “responders, spanning the public and private sectors, the open source community, and researchers globally, collaborated and communicated in a dedicated fashion, working through weekends and the December holidays.” The CSRB noted high levels of cooperation, extensive use of social media for rapid sharing of mitigation advice, innovative response actions from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the creation of new shared community resources.


Organizations that responded most effectively to the security vulnerability understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action. Most modern security frameworks call out these capabilities as best practices. 


However, few organizations were able to execute this kind of response, or the speed required during this incident, causing delays in both their assessment of the risk and in their management of it. When the Apache Software Foundation (ASF) made upgrades for Log4j available, deploying them was itself a risk decision, forcing a tradeoff between possible operational disruption and timeliness, completeness, and compensating controls.


According to CSRB, organizations spent significant resources as they struggled with the vulnerability. One federal cabinet department dedicated 33,000 hours to vulnerability response to protect the department’s networks. The costs — sustained over many weeks and months — delayed other mission-critical work, including incident response to other security vulnerabilities. 


CSRB predicts tension between the collective need for crisis-driven risk management and the foundational investments that would support more timely incident response efforts to future incidents. Perhaps most significantly, the force exerted on the urgent response and the challenges in managing risk also contributed to professional “burnout” among defenders that may, compounded with the generally intense pace of many cybersecurity jobs, have a long-term impact on the availability of cybersecurity talent.


Significant risk still remains as Log4j vulnerability is not over. CSRB classifies Log4j as an endemic vulnerability,” and that vulnerable instances of Log4j will remain in systems for many years to come, and even decades or longer. 


To reduce the recurrence of security vulnerabilities like Log4j, it is essential that public and private sector stakeholders create centralized resourcing and security assistance structures that can support the open source community going forward, the report found. The report provides 19 actionable security recommendations for the government and the security industry.


Below, security thought leaders react to the findings of the CSRB report. 


Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center:

Rarely do we get a comprehensive review of the impact and root causes of a cyber incident so quickly after the incident occurred, but that is precisely what we have from the CSRB in their report on Log4Shell and log4j. 

 

Open source software is fundamentally managed differently than commercial software, but open source software plays a key role in the success of commercial software. The “long-tail” scenario outlined in the report is one we’ve seen with countless past vulnerabilities, and one that favors attackers since their success is based on having at least one victim who hasn’t patched their systems. Given management of open source software is different from commercial software, and open source powers commercial software, reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software — even if support for that software has ended. 

 

With patch management being a challenge at the best of times, to mitigate the risk of unknown open source governance within vendors, software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities.


Michael Skelton (Codingo), Senior Director of Security Operations at Bugcrowd:

Dealing with Log4J is a marathon, one that will take years more to resolve. Java, and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities. While the initial wave of Log4J findings has subsided, we do still see Log4J over bug bounty programs somewhat frequently as the crowd dives deeper into the vulnerability and looks into the dependencies of projects for its presence.


John Bambenek, Principal Threat Hunter at Netenrich:

The Log4j vulnerability was first widely known in December. This report is eight months after that. At this point, anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly. 


Casey Ellis, Founder and CTO at Bugcrowd:

This is an incredibly dense report, but one that I hope a lot of folks — both inside and external to government —  read and digest. The vulnerabilities in Log4j prompted “one of the most intensive cybersecurity community responses in history,” and there are a great many lessons to be learned from it and hopefully applied back into software and F/OSS vulnerability management. 


Of particular interest are some of the comments in the executive summary about the PRC’s potential actions against Alibaba for violating then-recent vulnerability disclosure laws and the potential for this to have a chilling effect on security research in good faith out of mainland China. Given the progress on deconflicting anti-hacking laws like the CFAA and the CMA in the West, seeing the PRC seemingly take steps in the opposite direction is a vulnerability international relations shift that will be worth keeping an eye on.


Matthew Warner, CTO and Co-Founder at Blumira:

The complexity of patching unknown log4j systems continues to add more difficulties for organizations. A purchased appliance may have a vulnerable version of Log4j without any knowledge of the organization. There continues to be exploitation of Log4j across internet-exposed VMWare Horizon servers that have not been patched, even within hours of CISA notifications of vulnerable hosts. In the grand scheme of cybersecurity, however, Log4j is not unprecedented; even three years after exposure, there continues to be exposed RDP that is vulnerable to BlueKeep. 


Vulnerabilities that live within infrastructure have longevity and stickiness due to the complexity of networks and IT turnover that results in undocumented devices. It will take many years for the industry to remove and update all legacy Log4j solutions and support to identify impacted solutions, and getting this information to organizations will be necessary for privacy/public partnership success.


Mike Parkin, Senior Technical Engineer at Vulcan Cyber:

The CSRB report goes into quite a bit of detail and depth on the Log4J incident and comes out with a comprehensive list of recommendations going forward. Not surprisingly, many of the recommendations are things we’ve been saying in the industry for some time about following best practices and trying to improve hygiene.


Hopefully, this report will help push more organizations to follow best practices and collectively clean up our acts so that the next time a Log4J style vulnerability surfaces, and there will be, we’ll be in a better position to deal with the Next Big Thing vulnerability quickly and effectively. It could also, hopefully, lead to more active initiatives to drive the message home.


Brad Crompton, Intelligence Director at Intel 471:

It is highly recommended users upgrade Log4j to the latest version. Where upgrading Log4j is not feasible instantaneously, exploitation attempts still can be averted by removing the JndiLookup class from the classpath. Intel 471 has not seen a sustained effort to leverage the vulnerability in attacks, but that does not mean threat actors won't use the vulnerability in the future.


Chris Clements, Vice President of Solutions Architecture at Cerberus Sentinel:

The Log4j incident demonstrates just how at risk thousands of organizations are due to uncontrolled third-party software dependencies they may not even be aware that they are using. It’s a real wake-up call for both developers and end users that upstream changes from developers not under your control can pose a significant risk to your products and operations. Worse, in such situations, vulnerable organizations can be left with little recourse for remediation unless they have the development capabilities to correct the vulnerability themselves. In a sense, we are lucky that the Log4j issue had an almost perfect storm of remediation response. The developers themselves:


  • Were still actively maintaining the project
  • Quickly recognized the seriousness of the issue
  • Dedicated themselves to urgently correcting the issue


Had any of these items not been the case, vulnerable products and organizations could have had little means of self-correcting the problem. The thing is, curative actions by the Log4j development team mostly happened out of the goodness of their hearts. As free and open-source software, they were likely under no obligation at all to fix the issue had they not wanted to. This type of uncontrolled dependency should be a major concern for product developers looking to avoid catastrophic situations in the future either from dependency developer mistakes or even directly malicious actions like purposefully introducing vulnerabilities or backdoors.


Roger Grimes, data-driven defense evangelist at KnowBe4:

This is an excellent report and it makes good recommendations across the board. There are no surprises and things that have not been said many times before by other groups, but it’s great to see them all collected into one report. However, the most welcome recommendations include improving the default security and health of the open source software ecosystem, including recommending that developers get trained in secure software development. We know for sure that one of the single best things we can do to improve software security is to make sure all developers have training in common security bugs and how to avoid them. Yet, very few universities and programming schools give developers any training in secure software development, much less make it a key part of their curriculum. Why do we still have an escalating number of software vulnerabilities...over 20,000 publicly identified bugs last year? Because we don’t teach developers how to avoid those bugs. We get what we sow. In this case, DHS is saying we need to fix that, in open source software as well.


For more CSRB findings, please visit www.dhs.gov. 

KEYWORDS: cyber security incident response risk management security operations security vulnerabilities

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber threat

    The Forum of Incident Response and Security Teams holding annual conference online next week

    See More
  • biology

    The Incident Response Approach to Cybersecurity

    See More
  • Cyber Incident Recovery

    BSIMM11 study shows fundamental shifts in software security initiatives in response to DevOps & digital transformation

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing