Log4j vulnerability, supply chain attacks and SBOMs
The logging software Log4j was recently found to have an injection vulnerability that allowed remote code execution (RCE) among other vectors of attack. The vulnerability was interesting because so many software packages use log4j code as a dependency, meaning that all dependent software was also vulnerable.
We briefly discuss the Log4j vulnerability, but then move to the bigger issue that allows these kinds of attacks: software supply chain.
Organizations were scrambling to understand their software supply chain during an incident. Instead, an organization can create a Software Bill of Materials (for free using open source tools) for their systems. Essentially, an inventory of all systems, software, and software dependencies in the organization.
SBOMs greatly assist in detecting vulnerable systems, mitigating risk to infrastructure, and possibly even helping with incident response and digital forensic investigations.