We’re going to be cleaning up Apache Log4j security problems for months to come, but the real problem isn’t that it was open-source software. It’s how we track and use open-source code.
When security vulnerabilities were found in the extremely popular open-source Apache Log4j logging library, we knew we were in trouble. What we didn’t know was just how much trouble we were in. We know now. Just ask the Belgian defence ministry. In this ongoing security disaster, many people blame open source for all our troubles.
In the Financial Times (FT), Richard Waters, the newspaper’s west coast editor, wrung his hands, saying it’s a “little alarming to discover that, more than two decades into the open-source era, glaring security holes sometimes surprise even the experts.”
Surprising? I think not. It’s software. It always has bugs. Sometimes they’re really bad bugs. As security maven Bruce Schneier said over 20 years ago: “Security is a process, not a product.” There’s no surprise here.