- Advertisement -spot_img
HomeTechnologyThe High Price Of Poor Application Security

The High Price Of Poor Application Security

- Advertisement -spot_img

When the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) calls a software vulnerability among the most serious that they have seen in their career, “if not the most serious,” you know that it’s pretty bad. These were the words of security expert Jen Easterly, describing the expanding Log4J crisis, a vulnerability she says could take years to fully address due to poor application security.

The vulnerability in question affects a popular open-source, widely used library for internet services and software applications. The Log4j vulnerability, which requires little in the way of expertise on the part of those who exploit it, could be used to exfiltrate data, infect networks with malware, steal passwords and login information, and much more – conceivably from millions of computers.

Its potentially wide-ranging use cases are a reminder of just why security measures such as Web Application Firewalls (WAF) are so essential.

The significance of the Log4j vulnerability

Log4j vulnerability poor application security

The Log4j vulnerability is representative of a trend in modern software creation whereby software is often written by patching together building blocks of code, instead of writing it from the ground up. This is frequently done for time efficiency and cost-savings, as well as to optimize performance by using the best bits of code available. Log4j is one such building block.

It’s a logging tool that assists developers by helping them to track the activity that takes place in systems or applications. In doing so, it can aid them in hunting down and fixing problems. Virtually every piece of software involves some kind of logging functionality – whether that’s for future development, security purposes, or day-to-day operations – and Log4j is a common library for doing this logging. As Jen Easterly pointed out, a major vulnerability is therefore incredibly bad news. (And, given that Log4j helps developers look out for trouble, more than a little ironic in the worst possible way.)

When it comes to individual users and organizations alike, Log4j is pretty much guaranteed to be a part of the tools you rely on on a daily basis. The best possible advice for safeguarding against this vulnerability is to ensure that you keep apps regularly updated since this allows developers to add the code necessary to protect against this vulnerability.

The FTC steps in

In most cases, diligent developers are quick to patch vulnerabilities when they’re made aware of them. In the case of Log4j, however, there’s an added incentive: They could face legal action from the Federal Trade Commission (FTC) if they don’t adequately protect consumers.

In January, the FTC said that the Log4j vulnerability represented a “severe threat” to web applications, enterprise software solutions, and consumer products – and is being taken advantage of by an increasing number of bad actors. The FTC stated that to avoid penalties, organizations must “act now” to protect their customers.

This legal warning will most likely prompt developers to more rapidly introduce measures to protect against the Log4j vulnerability. However, that alone will not solve the problem. In order to be adequately protected, users have to download and install the necessary patches. This can be time-consuming work that’s difficult in situations in which organizations rely on large numbers of pieces of software, and taking systems offline to install updates may be tricky.

Use the right tools to protect yourself

What users need is a better means by which to manage their protection against software vulnerabilities – from the major ones like Log4j to the more minor, less publicized ones. Luckily, the right cyber security tools are there to help. Web Application Firewalls and other associated solutions (such as WAAP, a.k.a. Web Application & API Protection) can be used to monitor, filter, and block HTTP traffic both arriving and leaving web services.

They can also help with virtual patching, referring to a series of rules that block malicious activities without a patch having to be installed. In doing so, these solutions can help protect active and legacy applications, third-party tools, APIs and microservices, cloud applications, and much more. Furthermore, they are able to do so in a way that avoids the false positives that can potentially plague such protective solutions.

As the world relies more than ever on web applications and online services in general, such tools are only going to become more critical. An instance like the Log4j vulnerability may not be a widespread occurrence in terms of its seriousness, but there is no shortage of vulnerabilities that nonetheless threaten to negatively impact users around the world.

Organizations and users alike should carry out best practices when it comes to keeping software updated. However, they should also utilize tools like WAF as a much-needed extra level of protection. Given the risk of being targeted by a successful cyber attack, investing in these tools is, by comparison, a no-brainer. It should be part of every sustainable vulnerability management strategy out there.

Tycoonstory
Tycoonstoryhttps://www.tycoonstory.com/
Sameer is a writer, entrepreneur and investor. He is passionate about inspiring entrepreneurs and women in business, telling great startup stories, providing readers with actionable insights on startup fundraising, startup marketing and startup non-obviousnesses and generally ranting on things that he thinks should be ranting about all while hoping to impress upon them to bet on themselves (as entrepreneurs) and bet on others (as investors or potential board members or executives or managers) who are really betting on themselves but need the motivation of someone else’s endorsement to get there.

Must Read

- Advertisement -Samli Drones

Recent Published Startup Stories

Select Language »