Interview with Mike Manrod, CISO, and Christian Taillon, IT Security Engineer at Grand Canyon Education
In December 2021, attackers began exploiting a critical, zero-day vulnerability in the popular open-source logging tool Apache Log4j that allows remote code execution on vulnerable servers.
Notably attackers immediately began leveraging the Log4j vulnerability to target SolarWinds and VMware servers, among other ubiquitous commercial applications. Fast forward to today and Log4j exploits are found in botnet packages, including IoT botnets in the case of Mirai, as well as ransomware, crypto miners, and other malware programs.
Recently, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) released a study on how the Log4j vulnerability has impacted the software supply chain. As stated in the report, “A vulnerability in such a pervasive and ubiquitous piece of software has the ability to impact companies and organizations… all over the world.”
The report’s first recommendation is to prepare to address Log4j issues for years to come. The report’s authors call for software providers to bake security into development processes by promoting increased investments in open-source software security, training, and community-based security initiatives. A critical recommendation that should not be overlooked is piloting and funding ongoing maintenance of open-source software, components, and libraries.
“Development organizations need to apply multiple tools early, such as binary scanning tools and static analysis, to know what’s in the software and being accumulated along the way. They should also think about how the product is being used and how that makes it vulnerable,” says Mike Manrod, CISO, at Grand Canyon Education (GCU). He and Christian Taillon, IT Security Engineer at GCU, are back on Shift Left Academy for a second time to discuss the short and long-term ramifications for commercial software developers base on the DHS report’s recommendations.
{% video_player “embed_player” overrideable=False, type=’hsvideo2′, hide_playlist=True, viral_sharing=False, embed_button=False, autoplay=False, hidden_controls=False, loop=False, muted=False, full_width=False, width=’1280′, height=’720′, player_id=’83488928407′, style=” %}
Resources related to this interview:
- GNU Affero GPL: https://www.gnu.org/licenses/agpl-3.0.html
- Comparing open-source licenses: https://choosealicense.com/licenses/gpl-3.0/
- NIST Documentation on Software Bill of Materials: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1