Apache co-founders have called for a partnership to prevent the Log4Shell issue again

Brian Behlendorf, the lead developer of Apache Web Servers, recently published an article calling on multiple open source foundations to work closely together to prevent problems like Log4Shell from happening again. The article mentions that there are currently insufficient resources for security work in the open source field, that it is constrained in developing standards and requirements to reduce the chances of major vulnerabilities, and that several recommendations are made to mitigate security risks.

Image courtesy of Flickr

To prevent problems like Log4Shell from recurring, Brian Behlendorf advocates that open source software foundations can do the following to mitigate security risks:

● Establish an organization-wide security team to receive and offload vulnerability reports, and coordinate responses and disclosures to other affected projects and organizations.

● Perform frequent security scans via CI tools to detect unknown vulnerabilities in software and identify known vulnerabilities in dependencies.

● Conduct irregular external security audits of critical code, especially before new major releases.

Require projects to use a testing framework and ensure high code coverage so that features that are not being tested can be blocked and unused features can be proactively phased out.

Require projects to remove deprecated or susceptible dependencies. (Some Apache projects are not affected by Log4j v2 CVE because they are still using Log4j v1, a version with known weaknesses and has not been updated since 2015!) )

Encourage and eventually require the use of SBOM formats, such as SPDX, to help everyone keep track of dependencies more easily and quickly, making vulnerabilities easier to spot and fix.

● Encourage and ultimately require maintainers to demonstrate familiarity with the basics of secure software development practices.

Much of this has been incorporated into the CII Best Practices Badge, one of the first attempts to codify these into objectively comparable metrics, and this work has now been transferred to OpenSSF. OpenSSF also released a free course for developers on how to develop secure software, and SPDX was recently announced as an ISO standard.