The recent (and persistent) Log4j incident highlighted the need for standardized practices that “lead to software that is secure by design,” says the new report from the Cyber Safety Review Board (CSRB). In this article, we’ll look at some of the report’s recommendations for securing software and managing vulnerabilities.
The CSRB, which was tasked with identifying cybersecurity improvements and making strategic and actionable recommendations, says that, in regard to Log4j, organizations should:
- Be prepared to address Log4j vulnerabilities for years to come
- Continue to report (and escalate) observations of Log4j exploitation
Best Practices
More generally, organizations are encouraged to “adopt current industry-accepted practices and standards for vulnerability management and security hygiene.”
The report spells out 19 recommendations to help organizations deal with threats and improve overall security, including directives to:
- Maintain an accurate IT asset and application inventory
- Invest in capabilities to identify vulnerable systems
- Have a documented vulnerability response program as well as a documented disclosure process
- Improve SBOM tooling and adoptability
- Train developers in secure software development
- Increase investments in open source software security
Secure Software Development
In addition to providing guidance for organizations, the report also outlines best practices for software developers and maintainers.
Specifically, the report says, software developers and maintainers should:
- Adopt standard practices and technologies to build secure software in accordance with ISO 27034:2011160 and NIST’s Secure Software Development Framework
- Establish a comprehensive approach to code maintenance that encompasses consistent secure development processes, security assessments, and vulnerability management operations
- Implement communication processes and mechanisms that provide consistent and relevant security messaging to users
- Use integrated development environment (IDE) tools to help secure software development
- Integrate source code scanning and tools
Community Initiatives
The report also encourages open source software developers to participate in community-based security initiatives to help improve the security of their processes and code, such as:
- OpenSSF, which offers security training, tools, auditing services, and other community resources
- Open Web Application Security Program (OWASP) Foundation, which tracks top security risks to web applications and provides resources for education, training, and community networking
- Open Source Software Security Mobilization Plan, which outlines steps to help address open source software supply chain security
“The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale,” says the report. Thus, we must work together to strengthen our shared systems.
Ready to find a job?
Check out the latest job listings at Open Source JobHub.
Contact FOSSlife to learn about partnership and sponsorship opportunities.
Comments