Post-Log4Shell: How Has the Channel Ecosystem Been Affected?
Security partners need to help secure the software supply chain and show companies how that tech works.
August 5, 2022
By Tom Herrmann
Tom Herrmann
The discovery of Log4Shell late last December unearthed an uproar throughout industries as organizations scrambled to unveil whether their devices were alongside the hundreds of millions worldwide that utilized the Java-based logging utility, Log4j. Just weeks following the identification of the vulnerability, the Federal Trade Commission (FTC) issued a warning for businesses that all must apply patches or face legal action.
With the risk of legal action looming, the logical next step would be to apply the necessary patch. This would be enough in most scenarios, but Log4Shell presented a new set of challenges – it was extremely difficult for businesses to determine where the patch was necessary. The aftermath of this vulnerability left businesses scrambling to establish if the flaw was present within their systems so they could work to identify the quickest and most efficient course of action. A lot of organizations turned to their trusted advisers (partners) for guidance on solutions and services that could help.
When large-scale security threats emerge, it’s a stark reminder for partners that bad actors are always on the move, finding ways to cause tremendous business damage. Now, more than six months following the initial Log4Shell discovery, there’s been a shift within the channel environment. Businesses are in pursuit of security partners that enable them to remain protected against today’s inevitable enterprise threats.
What does this mean for the channel and how can organizations ensure their security expectations are met? Let’s take a look.
The Channel and Software Security
Software and application security (AppSec) have been brought to the forefront of partner discussions following Log4Shell and attacks like SolarWinds with far-reaching software supply chain impacts as organizations have become increasingly aware of the threats that exist within their digital environments. These types of vulnerabilities and attacks that impact businesses of all sizes, regardless of their industry, garners attention in a way that influences companies to re-examine their security profile.
These wide-ranging security threats have reminded organizations that — much like when a car engine is working it doesn’t mean a mechanic won’t lift the hood to examine what’s underneath during a regular checkup — they must also routinely examine the intricacies of their security tools to ensure everything is operating properly. When organizations take a deeper dive, most realize they’re largely unaware of what comprises the software they’re running. This is another opportunity for partners to offer advice and solutions.
There’s a concerning disconnect between users and their software. Open source has become a foundational component of software. In fact, 98% of software and internet codebases contain open source alongside 96% of enterprise software/software-as-a-service (SaaS). Despite open source being widely adopted within enterprise software used daily, 85% of codebases contain open source more than four years out of date and 88% utilized components that weren’t the latest available version. These numbers should raise alarms — there’s a lack of software maintenance pointing to most systems not remaining up to date.
These outdated systems place enterprises at higher risk of successful exploitation by cybercriminals. Arguably the most concerning part of outdated systems is the reality that most remain out-of-date due to the unfortunate fact that many don’t know what’s within their systems or that an updated version is available. Modern software requires unique oversight that many aren’t accustomed to or prepared to handle.
Software and application security have become core components to enable business continuity, but even the most dependable vendors aren’t …
… immune to the software threat landscape. To address these ever-growing and daunting challenges, organizations are asking themselves how to find the right security partner.
Tackling Software Security Conundrum — How to Find the Right Partner
Ask any security leader and they’ll say the same thing: the most critical aspect of a security breach is time. The time it takes a vendor to recognize they’ve been targeted, the time it takes for them to alert their customers, the time it takes for them to take the proper steps to fix the issue that allowed them to become compromised in the first place, and the time it takes to assess the impact.
The same is true with software vulnerabilities. Timeliness was no exception when it came to the discovery of a zero-day in Log4j, but this vulnerability unveiled yet another obstacle – the time it takes to identify whether a vulnerability is present within systems.
While this sort of timeliness is important for a partner to possess, an ideal partner is going to be one whose goal is to help reduce customer risk before even getting to that point. AppSec is about catching vulnerabilities that can result in breaches before they happen. Organizations should consider AppSec a preventive medicine, with the goal of keeping companies healthy before an issue arises as opposed to using it to cure an existing issue.
AppSec and software security are now more commonly viewed as business growth and retainment opportunities. The topic may be unfamiliar to some partners even if they have a background selling or providing services in other areas of cybersecurity, so it’s crucial to be able to offer support with trainings and guidance to help further extend their knowledge. Due to the existing user-education gap around software, having a partner that’s willing to guide an organization through their security journey and help to implement preventative measures is key. When taking an AppSec approach, businesses can secure every aspect of their software supply chain, from code development to testing package software.
While AppSec may not have been able to prevent Log4Shell altogether, a proactive AppSec approach — accompanied by diligent and rigorous testing routines to understand where an organizations’ software makeup stands — would have given a preemptive leg up in the scale of Log4Shell’s impact.
What’s Next for the Channel?
As severe vulnerabilities and attacks show no sign of slowing down, there will be considerable re-examination across industries when it comes to security strategies.
To face the challenges of the software supply chain, channel partners must evaluate how they are taking preventative approaches to security while keeping end users in mind. Just as important as having the right technology in place, a successful channel partner allocates the time to show and properly elaborate on how that technology works. With the right security partner, teams won’t need to scramble should a security challenge arise; their systems will be set up for success and they’ll feel more confident in how to tackle threats.
Tom Herrmann is vice president of Global Channels and Alliances for the Synopsys Software Integrity Group. Previously, Herrmann has built and led partner programs at Oracle, Tanium and VMware. You may follow him on LinkedIn or @synopsys on Twitter.
You May Also Like