Will It Take More Than Open Source Funding To Prevent the Next Log4j?

"While the lack of funding in open source is certainly a problem, could funding have prevented the Log4j vulnerabilities?" asks Mike Melanson's "This Week in Programming" column. "Would funding actually prevent similar vulnerabilities in the future...?"

Or is that an oversimplification? In a blog post for the Linux Foundation's Open Source Security Foundation (OpenSSF), Brian Behlendorf argued that open source foundations must work together to prevent the next Log4Shell scramble, outlining seven points that OSS foundations could do to mitigate security risks. Among those seven points — which include security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code — not once was funding mentioned. Rather, Behlendorf precedes these points by saying that "Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code."

Behlendorf continues after his list of seven suggested acts with a section that boils everything down perfectly:

"None of the above practices is about paying developers more, or channeling funds directly from users of software to developers. Don't get me wrong, open source developers and the people who support them should be paid more and appreciated more in general. However, it would be an insult to most maintainers to suggest that if you'd just slipped more money into their pockets they would have written more secure code. At the same time, it's fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are in place, being done and paid for by someone else."

Behlendorf does go on to make some points about funds and fundraising, but his point is less on the lack of funding than the allocation of those funds and how they need to be focused on things like paid audits and "providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests."

Behlendorf says that, in the new year, the OpenSSF will be working to "raise the floor" for security in open source.

"The only way we do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than burdensome or bureaucratic," he wrote. "We will be working with and making grants to other open source projects and foundations to help them improve their security game."
Behlendorf was a founding member of the Apache Group, which later became the Apache Software Foundation.

So as a long-time member of the Open Source community, he calls the Log4j vulnerabilities "a humbling reminder of just how far we still have to go."

Re:

[ranton]

No, the correct answer is litigation. Just make sure you have someone to sue for any piece of software you use. ;-)

Yes, they must be criminally responsible

[ac2022]

It is a brilliant idea to make open-source developers criminally responsible for security vulnerabilities for the entire lifetime! Give them 2 weeks' notice about vulnerability and then go for them! A couple of public cases and we will finish that irresponsible practice of writing software for free!

Re:Yes, they must be criminally responsible

[mysidia]

No.. The open source software comes with no warranty. The liability should be to whoever is selling a commercial product based on that component.

I would say the option to "waive merchantability warranty" should be prohibited for commercial products - the open source upstreams should have exception for code being released to the public instead of being sold as a closed product.

Re: Yes, they must be criminally responsible

[Lowell Boggs]

Exactly - what about the responsibility of the users of the s/w to obey the license restrictions that every piece of open source s/w has in it - to accept all the financial responsibility for the use of the s/w? What screwed up jury would convict people who specifically said dont use our stuff if you can't indemnify us against all tortious actions?

Criminal negligence or deliberate criminal intent

[ac2022]

We criminally prosecute hackers who use undocumented APIs to process their requests in the systems over the internet. So what is the difference between a person who builds such undocumented API and the person who uses them? You may say that hackers are as innocent users as everybody else, the fact that they use undocumented APIs does not make them criminals, they are just more knowledgeable and the knowledge is not a crime. If usage of undocumented APIs implies criminal activity then the person who builds a

Who is going to pay for the security? Me?

[shanen]

Vacuous Subject, weak FP.

Regarding the new Subject, the proper answer is "us" as in all of us are harmed more or less directly by such fiascos. But even if I were rich, I couldn't pay to fix all the broken software out there.

My favored approach to the problem would be a viable financial model that could sustain sufficient testing to catch more bugs and also support security responses. I see how a CSB (Charity Share Brokerage) could address the first two problems, but the third is much tougher.

Re:

[znrt]

It wasn't until then I appreciate quite how widespread that attitude

no, it seems you still don't get it. open source is at its core altruistic, and that's it. if anyone wants to build a billion dollar enterprise on that then that's on him.

yes, it is widespread greedy abuse (with very little exceptions), the vast majority of software developers not only compulsively chow on opensource work without giving anything back, but are so lazy and gullible as to not test if what they get for free is actually secure and fit for their purposes, and then so despicable to blame opensourc

Re:

[znrt]

There's two problems with this argument, the first is that the vast majority of open source gets written by people paid by corporations,

citation needed, but even then it is shared with the world, "for free". read on.

the second is that you're effectively saying open source shouldn't ever be trusted,

not at all. you can trust it if you "own it", make it yours and make thoroughly sure that it is fit for purpose. at the very least you got the idea, the design and the code served to you, you could and should take it from there, not blindly use it as a free product. eventually you might discover it has a flaw and you can contribute a fix for everybody. however, everybody's use of it is still everybody's friggin responsibility.

But your toxic attitude highlights precisely the problem

to

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[angel'o'sphere]

For a corporate user, let's say a Bank: there is no difference if they pick a MIT or GPL library.
As a matter fo fact: there is rarely a choice anyway. Or is there an GPL alternative to log4J? Not that I'm aware of. The alternatives are all either MIT or BSD or Apache licensed.

Re:

[bobintetley]

They could always use the logger that's built right into the JRE if licensing is a problem? It's been there since JDK 1.4 in the package java.utils.logging so it's not exactly new.

Re:

[angel'o'sphere]

Licensing is not the/a problem.
Not sure if 1.4 already had logging, I don't think so, but it is not important.

Re: I have an idea

[Billly Gates]

Well it's a good thing open source software written in c/c++ like OpenSSL don't have these problems like heartbleed etc.

Re: I have an idea

[ArmoredDragon]

The log4j bugs are more a result of shitty program logic than the language. Trust me, I hate Java with a passion. And yes, some languages allow you to make fuckups without realizing it more than others, Rust being a prime example of a language that is really anal about making sure that you do many things the correct way.

But, no language can fix bad program logic. And bad program logic isn't necessarily done by bad programmers. A lot of times when you're in long coding sessions (even if it's just a project t

Re:

[Dutch Gun]

Agreed. This is a great example of a bug introduced by a bad feature (executing raw user input) rather than a problem with the language. This would NOT have been fixed by writing this in Rust. Java is already a memory-safe language.

Granted, I do believe it's best to use memory-safe language in user or internet-facing components if at all possible instead of C. But simply using a better language is not a fix-all - just a step in the right direction. In this case, the true preventative fix would have bee

Re:

[angel'o'sphere]

Trust me, I hate Java with a passion.
And why that psychopathic behaviour?

There are only two languages to hate:
a) PERL
b) JCL

Not sure which deserves more hate ... I contemplate about it till I hate one of both less.

Re:

[The Evil Atheist]

JCL isn't a programming language. It's just Job Control Language. And most of JCL's insane design comes from the fact that it was created during a time when experience with creating languages was ad-hoc and without much prior experience. Then backwards compatibility forced it to remain that way. And even then, it's things like the DD statement that has an insane amount of options and behaviours.

There's no excuse for Perl. Or TCL for that matter.

Re:

[angel'o'sphere]

A job control language is also a programming language, or is Bash not a shell not a programming language?

Gosh, I had forgotten about TCL, you are so evil to remind me about it again.
Put it on top of my list. A damn language where you can not uncomment code - because comments are code and are only allowed at specific points. Made me so much head aches when I had to fix some silly stuff in a super complex TCL environment.

Re:

[The Evil Atheist]

Bash language is not a job control language. It's pretty much general purpose. It's a shell language.

JCL doesn't even support conditionals or loops, or at least my rusty recollection of it. Maybe there was some arcane way to pretend a conditional or loops with some of the DD options. JCL most commonly simply lists steps with the program and DD statements. Any "complicated" thing was done by the program itself.

Re:

[angel'o'sphere]

Well, nevertheless it is very "esoteric" to try to put a language into a corner where it is suddenly no longer a programming language.

For me: JCL is a programming language. And as the acronym tells: a Job Control Language, too.
And Bash is just the same: a job control language. If you write real applications in Bash, you are not better than a Visual Basic programmer. Just because it can be done: does not mean it needs/should be done.

My JCL background was on IBM mainframes (actually Siemens Clones) and a Cybe

Re:

[The Evil Atheist]

And as the acronym tells: a Job Control Language, too.

Yeah, it's a language. I agree it's a language. It doesn't make it a Programming Language.

If you write real applications in Bash

It doesn't matter what it's being used for. Bash definitely has the power of a Turing complete language, whereas JCL doesn't. Bash isn't about "job control". It's much more than that.

Whereas, JCL is only usable for job control. It's just a fancy version of what people did when they "programmed" their VCRs to do something at a certain time. Just like I wouldn't call "programming" VCRs programming, I wouldn't call JCL

Re:

[angel'o'sphere]

Then you are nitpicking again.

As the hierarchy of "programming languages" starts with "programming language", then it branches of into different families, and "job control language" is one branch, into which JCL belongs.

Has absolutely nothing to do wether it is Turing Complete or not.

On the other side, old school TeX is not a programming language, neither is HTML. With CSS HTML btw is Turing Complete, but no one would call it a programming language.

Then again: you can make your own categories as much as you

Re:

[gweihir]

Stop using java entirely.

That would be a good idea. Obviously, Java makes it far too easy to write insecure code. Functionality that makes accidents as easy as the JNDI lookup has no business being available. First, such things are not needed in a sane language design. If they get provided, they should be clearly marked as exotic and dangerous and come with ample clear warnings. And then the still should come with secure defaults that need some actual understanding to disable. The incompetent Java designers basically placed an unse

Re:

[angel'o'sphere]

First, such things are not needed in a sane language design.
That functionality is obviously not in the language, but needs an explicit library call.

(*facepalm*)

Re:

[gweihir]

You having trouble seeing standard libraries as part of "the language"? No surprise, I _know_ you are stupid...

Re:

[angel'o'sphere]

They are not part of the language.
They are part of the environment.

And if they are not on the classpath: no one can access them. You even can get away with not installing them.

No idea what your comment about "stupid" is supposed to mean.

Re:

[gweihir]

Bullshit. There is "the language" as the syntax and there is "the language" as the standard distribution package. Obviously I am referring to the latter. Obviously you are not smart enough to see that.

Re:

[angel'o'sphere]

You are referring to library calls.

And that is not part of the language,

I suggest to read up how pattern matching in PERL or awk works and compare that to Java.
The first two have it as part of the language. Java has it in a library.

I hope you never teach programming to anyone if you can not differentiate the simplest things, you will confuse the heck out of your students.

There is no "syntax" for ldap/jndi access in Java. Grasp it or don't grasp it.

Did you have a bad merry christmas or are you completely dru

Re:

[Joey Vegetables]

JNDI is a longstanding part of the Java platform, and it is actually useful when used for its intended purposes, and with appropriate safeguards.

But I'm still not quite sure why it should be in a logger, and enabled by default.

I have a better idea

[getuid()]

Stop writing complex software.

Re:

[Joey Vegetables]

Stop writing software that is more complex than it has to be.

And learn from 50 years of software development history that complex code should be constructed from relatively simple pieces/parts.

I've encountered few software failures in my career that didn't result from the violation of at least one, but usually both, of these precepts.

Re: I have a better idea

[getuid()]

Exactly.

And above all: get your data model right, before nailing anything else.

I don't know why this is, but when I started to do programming 25 years ago, I heard a phrase along the lines of "show me your data structures, and hide your algorithms, and I'll be able to reproduce them; hide your data structures and show me your algorithms, and I'll continue to be baffled". Unfortunately I've forgotten whom it was attributed to, and for the love of me I can't find it anymore. I remember that having been a famo

Re:

[Joey Vegetables]

Agreed 1000%.

But, disturbingly, modern developers almost uniformly fail to understand data, and further fail to recognize why this understanding is literally foundational to nearly all software development.

This includes but is not limited to databases. I used to wear a DBA hat, and it makes me die inside a little bit every time someone decides to deploy an enterprise-class database, and then neuter it or worse, by failing to consider optimal levels of normalization, failing to understand proper indexing an

Re:

[angel'o'sphere]

And why would anyone do that?
And which Java hating idiot modded it insightful?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[The Evil Atheist]

What buffer overflows in C++?

Most Java libraries, like log4j, runs on VMs written in C++.

If buffer overflows were such a big issue, why was it much much easier to find such a wide-ranging bug in the non-C++ parts, namely log4j?

Re:

[mbkennel]

Because the amount of programmer attention and money devoted to the JVM code is enormously higher than one library.

Re:

[The Evil Atheist]

Yes. It's almost as if language has nothing to do with it.

It's almost as if people are mistaking their hatred of a language because of their feelings when they learned it and/or were badly taught at university with actual experience.

Re:

[giuntag]

Re C++ and PHP: that is a simplistic analysis, and in fact comes to a misleading and wrong conclusion.

PHP has had a de-facto standard logging library for 8 or more years - monolog. You can look it up in the CVE database: it has had no major incidents so far.

The root cause of the problem with log4shell is...
design flaws.
Not the stereotypical problems associated with C (buffer overflows, memory management, off-by-ones), nor the ones associated with php (loose typing, inexperienced coders). Static analysis too

Re:

[Joey Vegetables]

Perhaps, in retrospect, more attention will be paid in the future about how to templatize log string formats without thereby injecting potential vulnerabilities. Presuming that is possible.

But how in the F was something like JNDI not only included in a logging library by default, but also enabled by default (presuming I'm understanding correctly that that's what happened)?

the next log4j

[peterww]

Will be in some Go library, and all those statically compiled Go apps will have to be rebuilt and reinstalled one at a time. Will be much worse because there's no automation for remediating it and it will affect more applications

Re:

[sodul]

Are you trying to complain about Golang here?

The log4j issue did require the java services using them to be rebuilt, the war and jar files usually embed the faulty libraries and require the equivalent to a full rebuild and re-install. The static nature of Go does not make the process much worse than with Java TBH.

With java: update your log4j version in maven/ant/graddle, deal with your transient dependencies, commit, rebuild and redeploy your binaries.

With Golang: update your log4g (or whatever equivalent)

Re:

[Joey Vegetables]

Dynamic versus static linking is IMO not a huge issue for FOSS. You have the source. You can update dependency lists, recompile, test, and be done, at least for now.

But with proprietary software, especially if it's statically linked, you're kind of at the mercy of the vendor. It is the only entity capable of updating the libraries and then rebuilding. If it doesn't, for whatever reason, you're libFoobar.so'd.

Re:

[LostMyAccount]

The reality is that despite shared libraries saving us from security exploits, so often they're used in monolithic components where they are essentially not shared libraries because each component has its own local shared library. So you're still patching stuff one at a time, not just replacing that one library.

I'm not at all convinced that shared libraries are really any worse than static compilation. While patching a statically compiled application may be a headache, at least you'll know it won't bomb o

Re:

[peterww]

If it's the same version of the library as before with a 2-line patch, and the devs aren't terrible / the codebase isn't awful, it _should_ be fine to patch shared libraries in place. But yeah, sometimes it's not.

Where shared libraries are much better in this regard is in how standardized they are. With shared libraries you can 'apt-get update && apt-get upgrade' (or however the library is packaged) on your development machine, test it locally, then promote the change to production.

With statically c

Re:

[LostMyAccount]

I guess I get it in an environment where you or your org is doing the development and deployment across a common platform where you actually use/control the libraries.

But as a regular joe IT administrator, I just see 23 different platforms from a bunch of different vendors where there is no concept of just replacing a library. I mean there is in some very narrow cases IF you want to fuck around with a vendor's supplied appliance/VM/platform where you're not expected to replace libraries and its not support

Re:

[Seven Spirals]

I agree with you (I think). The real hassle is getting the individual coder to wake up, switch context, go dig up the impacted version from their VCS, get it running in a dev environment the same as the impacted versions, fix/patch/workaround it, then re-release the patched/fixed/worked-around version, then re-package it (hopefully with little or no change but gotta test/check), lastly push it downstream to repos etc... Very little of that process and the steps I'm leaving out for brevity is actually coding

Re:

[LostMyAccount]

The people who crow about their advantages so much seem to be very dev-focused and involved in fairly integrated environments where they *can* just replace a library and fix "everything" that uses the affected library.

The rest of us (OK, me) live in this fragmented universe of hardware devices and software where the benefits are pretty elusive because the patch process isn't just injecting a new library, even if the vendor patching process does this, and it tends to be just as "involved" a process for outri

Re:

[Seven Spirals]

Oh oh oh, and I almost forgot to comment on your point about containerization and microservices reproducing all the damn shared libraries again anyway, totally washing away most of the shared library advantages. This is a very under-rated point that I often bring up also. What's old is new again. Why bother when compiling a Docker service or some such? I don't see the point of using shared libraries at all in that situation. Just seems like 99% downside at that point.

Re:

[LostMyAccount]

Yeah, it's mostly of real world value to developers and systems which are running in a common environment that actually use a shared library.

But most of real world IT doesn't work that way. Hardware appliances (many running full-on operating systems anymore), virtual appliances, virtualization generally, containers (although I'm not sure if some container schemes don't just use the host system libraries, so maybe some value there) all seem to make shared libraries kind of a joke, a savings of a few gigs of

Re:

[Seven Spirals]

Again, I agree. To whit, our embedded systems are pretty much built as a monolith anyway. Sure we have packages, but the build for our software touches enough of the system (and that system is small enough) that we just rebuild the whole thing and re-run our unit testing scripts looking for any deviations from the last run mostly with simple mechanisms like diff. I don't pretend everyone could do that, but on the other hand I suspect what we do isn't much different from what other embedded developers do. We

Good. Fast. Cheap. Pick two.

[Arethan]

It's not just a money issue, it's a time and direction of effort issue. Lots of open source isn't build for purpose on a schedule, but instead is built for fun or convenience taking as much time as it needs or wants.

Behlendorf does go on to make some points about funds and fundraising, but his point is less on the lack of funding than the allocation of those funds and how they need to be focused on things like paid audits and "providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests."

Java is already "memory safe" - that was not the problem. Uncovering inventive ways to abuse design flaws is going to be devastating regardless of who finds it first - once details of the discovery are leaked, it's a race between patches and exploit kits - so lack of paid auditors was also not the problem. Jamming functionality into JNDI and log4j with more regard for capability than security was the problem - the only way we fix that is by encouraging sufficient security paranoia during the design phase of the tooling and the tool selection phase of the downstream consumer. I don't quite see an obvious place to inject money to fix that.

Re:

[Antique Geekmeister]

And commercial funding by careless funders can lead to extraordinary destabilization as those funders seek their own, distinct goals.

Re: Good. Fast. Cheap. Pick two.

[AcidFnTonic]

When it says "batteries included", it just means that someone can use those included batteries to start a fire.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[93 Escort Wagon]

It's not just a money issue, it's a time and direction of effort issue.

It hasn’t even been established that the log4j issue had anything to do with money whatsoever. Well-compensated programmers can have bugs in their software, same as anyone else.

As I posted the last time this same topic came up: The active developers appear to be employed professionally as coders. Are they doing log4j as part of their regular jobs? Or is this a side project, done on their own in their own free time? If the former, then using log4j as part of this “open source needs more funding

Re:

[mbkennel]

> Jamming functionality into JNDI and log4j with more regard for capability than security was the problem - the only way we fix that is by encouraging sufficient security paranoia during the design phase of the tooling and the tool selection phase of the downstream consumer. I don't quite see an obvious place to inject money to fix that.

Paid auditors, with the right capabilities.

People, partially outside the normal development stream, whose skill and experience centers around knowledge about how seemingl

Re: Good. Fast. Cheap. Pick two.

[ArmoredDragon]

Actually we already have that. Pretty much all of the largest tech companies (apple being the notable exception) have teams of people on their payroll whose only job is to find security vulnerabilities in open source software (in google's case, even closed source,) or alternatively, they're major financial backers of organizations that do, like ISRG.

Re:

[angel'o'sphere]

And why would Apple be an "notable exception", when Apple is the spearhead of OpenSource Software funding and improvement?

Re:

[gweihir]

Jamming functionality into JNDI and log4j with more regard for capability than security was the problem

Exactly. Functionality where using it can so easily go wrong has no place in a language that need to support secure coding. No dangerous functionality should ever be this easy to use. The log4j people were just the first victims of this glaring design flaw.

Of course not

[SuperKendall]

What highly funded computer system has not had security vulnerabilities?

If there are ever vulnerabilities in things like Cisco routers, which there have been, what makes you think any amount of money could secure every open source library 100% of the time?

This is why defense in depth is so important, if an internal system becomes compromised it shouldn't leave you wide open. And also probably why a range of technologies for internal systems is good, so one library vulnerability doens't leave every single w

Re:

[Antique Geekmeister]

Cisco routers have _deliberate_ vulnerabilities, backdoors deliberately installed for NSA se. Deliberately insalling backdoors means the system will be vulnerable, even if the other code is good.

              https://www.tomshardware.com/n... [tomshardware.com]

Re:

[gweihir]

Cisco routers have _deliberate_ vulnerabilities, backdoors deliberately installed for NSA se. Deliberately insalling backdoors means the system will be vulnerable, even if the other code is good.

https://www.tomshardware.com/n... [tomshardware.com]

There is no indication the majority of serious vulnerabilities found in CISCO gear in the last few years was deliberately placed. Too many were too easy to find or use. Not even the NSA is that stupid. If the NSA were to place backdoors (which is possible) they would at least make they are hard to find or use for others. Or they would use "NOBUS" backdoors in the crypto in the first place, such as they had placed rather obviously in Dual_EC_DRBG. Too many of those CISCO vulnerabilities made the gear open t

Re:

[Antique Geekmeister]

Cisco security is fairly pointless with so many backdoors, and their somewhat secret sharing among crackers. See articles about or read the revelations by Edward Snowden of Cisco embedded vulnerabilitities.

https://www.infoworld.com/arti... [infoworld.com]

Cisco claimed not to know about the program. That's very difficult to believe.

Re:

[gweihir]

So you mean Cisco stopped caring about security at all with the placed backdoors there? Possibly. But they may also just be incompetent.

Re:

[gweihir]

But we are a long way from treating computer security as seriously as we should be, and just throwing money at it will not help at all.

Indeed. One problem is education. I currently teach an application security course for BA CS students. This course is elective. And you know how many mandatory courses in secure software the students have overall? Absolutely zero. And this in 2021. It is a complete disgrace. And it is the same on other places. And these are not bad CS programs at all, apart from this one glaring flaw they are pretty good. But people that do not even know what makes things vulnerable cannot prevent things from being vulnerab

Re:

[Rockoon]

What highly funded computer system has not had security vulnerabilities?

The issue here is that this isnt a computer system, nor is it an application the end user wants to run.

Its a logging library.

Why is a logging library so complex that it cant be trivially secured?

There is no fucking excuse, and the blame doesnt land so much on log4j, but upon the developers that chose to use such a library.

Re:

[Joey Vegetables]

Gross violation of the single-responsibility principle.

IMO, a logger should just log. Nothing more. No encrypting home directories. No managing system time. No washing dishes, no seeding PRNGs, no editing text. Just log.

If that were the case it probably could have been made a lot more secure. So would other well-known and even more problematic pieces of software.

A slight variation on "Zawinski's Law" seems to be in effect here. Every program seems to expand over time until it can exploit vulnerabilit

They say It is not about the funding.

[Fly Swatter]

But lets just keep talking about it in the entire article...

Java has always been

[oldgraybeard]

corporate controlled and driven since the beginning(Sun, Oracle). That was one of the reasons I chose to stay away back in the day. Java = Open Source! you know I never really believed that when it came to Java..

You should treat software the same as hardware.

[Sique]

It comes down to this: Every job you don't do, you have to make sure that someone else does it to your liking.

If you use a third party hardware supplier, you get warranties, certificates, specification and other material, that allows you to vet the stability and usability of the product you buy. But if you are a shop that wants a certain quality, you run an incoming inspection on your supply, and if you run into failures, you talk to your supplier or switch to another one.

You should do the same for a th

Re:

[stabiesoft]

I think this really more than anything else. I think it is easy to fall into the trap of software is easy to update. Problem is, you forget it is even there in modern large systems. I double checked to make sure that somehow I wasn't using log4j even though I never heard of it.

Yep. And that costs money

[raymorris]

When I use open source software at my job, I look at the code to determine whether it's secure enough, in the rights, for the purpose I intend to use it for. Often a improve some part or make it more secure. That costs my time, which is my employer's money.

The summary lists the following points:
security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code

You can have security scanning done by paying so

Re:

[usedtobestine]

Actually, every job you don't do requres that you trust someone else has done as well as you. If you're a terrible programmer, then that bar isn't very high.

And all after years of almost daily

[oldgraybeard]

Java Security Updates.

The problem is not log4j

[gweihir]

The problem is the lookup-mechanism provided by Java. That this was an exceptionally bad idea security-wise was entirely clear. The log4j people merely had the misfortune to get hit first. And there will be more such strokes of genius in Java. It is time to scrap it as a failed approach.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Monkey puts gun in it's mouth...and it's the gun's fault?

No. It is the fault of the one that handed the gun to the monkey, obviously.

The fix is harder than just identifying bugs

[Todd Knarr]

Log4Shell wasn't caused by any bug. The software was broken as designed. It wasn't even one flaw in the design, it was the interaction between two flaws:

1. A deliberate decision was made to parse everything being substituted into the format string as another format string. This made it impossible to avoid interpreting raw user input at some point.

2. A deliberate decision was made to permit format strings to use calls to a naming system that could retrieve data without any limits on where it was coming from. This made it impossible to prevent malicious data from being pulled in.

Odds on these decisions were made by 2 different people who didn't have any contact with each other. If Behlendorf wants a place to start, his foundation can start with providing that kind of overview analysis of common libraries looking for places where design decisions interact in undesirable ways.

Note: one major cause of those interactions is the drive to make code as simple and consistent as possible. You can see that in the first decision: all strings are the same, there's only one function for handling them and that function just gets called recursively every time something more needs to be pulled in. The interaction can only be stopped by adding complexity to the code: making the formatting function distinguish between two different types of strings (format strings that need parsed, and data strings which must not be parsed), and modifying the naming system to allow the caller to restrict the domains it can resolve names for to only those that are trusted (which will vary from application to application). I see that all too often from people who don't want to admit that there isn't a clean, simple solution that's safe to use, that the only acceptable solution is going to be messy and awkward and have far too many special cases.

Oh, also beware "Well, that can't ever happen.". If it truly can't happen, your tools will flag the code as unreachable. If it isn't flagged as unreachable, then it can indeed happen if something goes sufficiently wrong (see https://www.cl.cam.ac.uk/~rja1... [cam.ac.uk] for a definition of "sufficiently wrong").

Re:

[bugs2squash]

Where are the 1000 eyes looking at this decision and calling it out though ? Even I can see it is a bad idea when explained the way it has been yet it was not caught in years. The libraries are just too complex. A bare bones RFC-compliant logging component would probably suffice for almost all applications, it just does not need all the bells and whistles.

Re:

[Todd Knarr]

Because a lot of times a bare-bones RFC-compliant library won't suffice. Format strings for instance are a good thing for applications, they let the logging library separate the original data that went into the rendered message so logs can be searched by the unrendered message template (catching all occurrences regardless of the values substituted in) or by particular substitution field values. Name lookup is good because often you want to know the value of the name at the time the problem occurred as oppos

Re:

[The Evil Atheist]

Where are the 1000 eyes looking at this decision and calling it out though ?

This was found by the 1000 eyes looking at it.

Re:

[angel'o'sphere]

This was found by the 1000 eyes looking at it.
No, it was not.
The flaw was in existence for roughly 10 years!! And got found by four eyes "playing Minecraft!"

Re:

[The Evil Atheist]

https://en.wikipedia.org/wiki/... [wikipedia.org]

No, it got found by someone looking at the code. The Minecraft thing came after.

Also, ten years is irrelevant. No one said everything had to be found immediately. The fact is, it was found because someone could look at the code, and they did. Simple as that.

Re:

[angel'o'sphere]

Well,
it is all over the news that it was discovered by 2 Mindcraft players.
No idea if the Alibaba cloud guy in Wikipedia is one of those Mindcraft players.

Fact is: it was not discovered by "1000 eyes" looking on the code: because before it was discovered, no one looked over the code.

The fact is, it was found because someone could look at the code, and they did. Simple as that.
Exactly. However parent was of different opinion.

Re:

[The Evil Atheist]

And then it was all over the news that China suspended contracts with Alibaba for not reporting it to them first. The Alibaba guy found it first, because that was his job (or his team's job, assuming he worked as part of a team).

Fact is: it was not discovered by "1000 eyes" looking on the code: because before it was discovered, no one looked over the code.

That's as ridiculous as saying "why is it always in the last place I look?"

Pray tell give me an example of someone finding an exploit before looking at the code.

Re:

[angel'o'sphere]

Pray tell give me an example of someone finding an exploit before looking at the code.
Erm, no idea about what you want to nitpick.

Our parent claimed: 1000 eyes found the bug. I pointed out, no: it was 4. Now you reduce it to 2 who found it first and 4 who found it later.

So: what is the reason you interjected into this discussion?

Re:

[tlhIngan]

Odds on these decisions were made by 2 different people who didn't have any contact with each other.

Well, format string substitutions is extremely useful for logging - it lets you log a message explaining the problem and then filling in various details, which is hard to do without formats. Some of them are simple - you might want a debug message to tell you the file/class/method/line where it's being printed, but you also might want to log stuff like the user making the request (depending on the level you

KISS

[bradley13]

Here's an idea: stop addi g every possible feature to things. Everybody's ideas get added, because...why? Lean, simple code instead of megabytes of cruft. That's what OSS ought to emphasize. Personally, I avoid using Apache libraries, precisely because every library is huge and complex, and every library brings in additional libraries, equally huge and complex.

Re:

[Mr. Barky]

Why? The problem is somewhat an evolutionary problem. There have without a doubt been many, many simple logging libraries that have met the needs of a handful of users. In order for a library to be installed on lots of systems, it has to meet the needs of lots of users, which leads to complexity. "Natural selection" favors the complex libraries. It is similar to why an application like Word has so many features. Each user might use 5% of the application but the 5% is different for each user. All the feature

Re:

[John-after-logtime]

At the very least, stop enabling everything by default.

I hope this isn't about pushing NFTs or crypto

[typewriter33]

had about enough of that

Overhyped?

[Spit]

Doesn't this vuln require outbound route to a hostile server? Isn't the mitigation default deny outbound which should be default?

Re:

[angel'o'sphere]

Doesn't this vuln require outbound route to a hostile server?
Correct, unless you are an insider and want to hack it as an employee etc.

Isn't the mitigation default deny outbound which should be default?
Exactly. And that actually be configured on the host running the VM already, or any router/gateway leading outwards.

Not a funding issue

[dromgodis]

I don't see it as a funding issue, and I don't believe funding would have prevented log4shell.

There were obviously resources available to develop the feature that was requested. Also, there were obviously resources available to quickly fix log4j. I seriously doubt that if they had gotten a bag of money five years ago, they would have spent it looking for this kind of vulnerabilities.

Also, I don't see the vulnerability as such as an OSS issue. Similar things happen in closed source commercial software, small

My 2005 book addressed the problem

[cjonslashdot]

In High-Assurance Design (https://www.amazon.com/High-Assurance-Design-Architecting-Enterprise-Applications/dp/0321793277), I explained by standards and bureaucratic approaches will not work, and why the only thing that works is making security a priority, and requiring all developers to learn secure coding as a core expertise. And I believe that will only happen if software producers bear significant liability for the losses due to vulnerabilities.

How do you make a secure app/computer?

[rapjr]

What app/computer anywhere is a prime example of a secure system? Is there even one in the world that can serve as an example? The general consensus seems to be that if there is a will there is a way to get into any computer that is networked and to compromise any app, and the fact that provable security is still an open scientific research question is an indication that security is not yet possible. Apps in particular are a huge vulnerability everywhere. Until we can build one secure networked app/comp

We didn't ask your permission to code, normies.

[Seven Spirals]

Programmers don't have to ask your permission to write code. Surprise! They can write whatever the fuck they want and the hapless assholes complaining about it can feel free to run that code, or fuck off. That's your choices when you are a taker (and a whiner, I might add) rather than a maker. I guess you could all get together and try to ban independent coders, which I see many have already suggested. Disgusting.