Press "Enter" to skip to content

Log4Shell could be the worst yet, and the impact on trust

Some updates on Log4Shell.     CISA Director Jen Easterly briefed the industry yesterday and stated, “is one of the most serious I’ve seen in my entire career, if not the most serious.”  “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage.”   CISA has also instructed federal agencies to patch by Christmas Eve.     I’m also including a reference to Royce Williams’s work compiling over 300 vendors and their current status and a list managed by the Dutch National Cyber Security Center.  

There are other security stories out there besides Log4Shell.    This year, we’re already at a new record for security vulnerabilities, having broken 2020’s record, which has been a trend for the past five years.  Each has topped the previous.     A bright spot – there are fewer high-risk ones than in 2020.  

Reporting is also up – HackerOne notes a 20% increase from last year in reporting.   The median payout is also up 13% and 30% for high severity bugs.  

All these issues are causing a lack of confidence in legacy IT vendors.  Per research from Vanson Bourne and CrowdStrike, organizations question whether traditional technology firms provide sufficient security protections to enterprise customers.   According to the report, almost two-thirds of respondents said their organization is losing confidence in legacy IT providers, such as Microsoft, due to the increasing frequency of supply chain attacks.   The research also shows that 45% of respondents have experienced at least one supply chain attack over the past 12 months, up from 32% in 2018.

Why do we care?

I’ll keep covering any Log4Shell items that are newsworthy but echo yesterday that this isn’t noteworthy.  Run your security playbook here.   If you’re in the security management business, I’m also making an expectation this isn’t your only source of information.  

The bigger picture is that lack of confidence.   The adage of doing the same thing and expecting different results being insanity… resonates.   Of course, this is dragging down confidence.  The question to track is if this will change buying behavior?     Until that, or regulation, happen, we should expect more of the same.