- Security flaws in free and open source software (FOSS) will be a recurring source of cyber risk, Moody's Investors Service found. It could take organizations three to five years to fully resolve issues related to the Log4j vulnerability.
- Certain industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody's partner on cyber issues. The telecommunications industry trails other sectors, remediating only 29% of critical vulnerabilities within 90 days. The legal industry, with the quickest response time, remediated 68% of critical vulnerabilities in the same time frame.
- The use of FOSS can save organizations considerable time and funding. But issues remain about the lack of financial support and, due to the voluntary participation of many contributors, developers experience high levels of burnout.
Two months after the initial disclosure of the Log4j vulnerability, companies across the nation still grapple with long-term cybersecurity concerns.
Open source projects are critical components of the software that major industries use every day, according to Leroy Terrelonge, vice president and senior analyst in the cyber risk group at Moody's.
"That's a really big weakness in our current system," Terrelonge said. "That only the biggest and most well-resourced organizations can afford to pore over code."
Open-source flaws can linger. Moody's noted a case in January where researchers discovered a 12-year-old vulnerability in devices running on Linux.
The Biden administration has been working with private industry to secure the software supply chain. National Institute of Standards and Technology unveiled guidance this month outlining a process for software producers to attest the use of secure software development practices to help strengthen the supply chain.
Experts are calling for additional investment in open source to help secure the software supply chain. Measures like a software bill of materials could help industry uncover vulnerabilities more quickly, though it won't prevent them, said David Nalley, president of the Apache Software Foundation, who testified to a Senate committee this week.
While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.
"However, the mistake is to assume that you can grab an open source library and then never look at it or update it again," Carielli said via email. "Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it's a blip on the radar and can be remediated with practiced upgrade procedures."
The Moody's report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers.