Open Source Security: Managing Risk in the Wake of Log4j Vulnerability
DOI:
https://doi.org/10.63282/3050-9246.IJETCSIT-V2I4P104Keywords:
Open-Source Security, Log4j, Vulnerability Management, Risk AssessmentAbstract
This paper seeks to discuss how OSS has transformed the software industry in organizations, primarily in aspects of cost savings, speed, and community support. Nevertheless, due to its open-source nature, OSS brings specific security issues into a project, especially when a critical problem like Log4Shell has been revealed in December 2021. Indeed, the present paper aims to discuss the Open-Source Security Issues as the case of Log4j has detailed below. In the present work, we highlight how vulnerabilities in common OSS libraries extend across ecosystems and the approaches that organizations have implemented to address this; overall, we assess approaches to prevent such risks from recurring in the future. Some of their contributions are a comprehensive survey of the prior art, an extensive study and documentation of the Log4j vulnerability, and a proposed risk management framework specifically designed for open-source software environments. Further, these papers provide a risk assessment mathematical model and present an approach for automating OSS vulnerability detection and response systems. Thus, we reveal actionable recommendations to improve an organisation's resilience against OSS security threats
Downloads
References
[1] Scacchi, W. (2007, September). Free/open source software development. In Proceedings of the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering (pp. 459-468).
[2] Scacchi, W. (2002). Understanding the requirements for developing open-source software systems. IEE Proceedings-Software, 149(1), 24-39.
[3] Narduzzo, A., & Rossi, A. (2005). The role of modularity in free/open source software development. In Free/Open source software development (pp. 84-102). Igi Global.
[4] Augustin, L., Bressler, D., & Smith, G. (2002, May). Accelerating software development through collaboration. In Proceedings of the 24th International Conference on Software Engineering (pp. 559-563).
[5] Boylan, H. R. (2004). Accelerating Developmental Education: The Case for Collaboration. Inquiry, 9(1), n1.
[6] Chaturvedi, K., & Kolbe, T. H. (2019). Towards establishing cross-platform interoperability for sensors in smart cities. Sensors, 19(3), 562.
[7] Hoglund, G., & McGraw, G. (2004). Exploiting software: How to break code. Pearson Education India.
[8] Lyke, J. C. (2014, June). Empowering open systems through cross-platform interoperability. In Open Architecture/Open Business Model Net-Centric Systems and Defense Transformation 2014 (Vol. 9096, pp. 69-84). SPIE.
[9] Wheeler, E. (2011). Security risk management: Building an information security risk management program from the Ground Up. Elsevier.
[10] Fugini, M., Teimourikia, M., & Hadjichristofi, G. (2016). A web-based cooperative tool for risk management with adaptive security. Future Generation Computer Systems, 54, 409-422.
[11] Jones, A., & Ashenden, D. (2005). Risk management for computer security: Protecting your network and information assets. Butterworth-Heinemann.
[12] Sampson, K. L. (2002). Value-added Records Management: Protecting corporate assets, reducing business risks. Bloomsbury Publishing USA.
[13] Taming Supply Chain Risks in the Wake of the Log4j Vulnerability, Tanium, online. https://www.tanium.com/blog/taming-supply-chain-risks-in-the-wake-of-the-log4j-vulnerability/
[14] Stallings, W., & Brown, L. (2015). Computer security: principles and practice. Pearson.
[15] Charpentier, R., Debbabi, M., Mourad, A., & Laverdière, M. A. (2008). Oss security hardening overview. The Open Source Business Resource, 15.
[16] Wen, S. F. (2017, November). Software security in open source development: A systematic literature review. In 2017 21st Conference of Open Innovations Association (FRUCT) (pp. 364-373). IEEE.
[17] Qutqut, M. H., Al‐Sakran, A., Almasalha, F., & Hassanein, H. S. (2018). A comprehensive survey of the IoT open‐source OSs. IET Wireless Sensor Systems, 8(6), 323-339.
[18] What is the Log4j vulnerability? IBM is online. https://www.ibm.com/think/topics/log4j
[19] Wang, J. A., & Guo, M. (2009, April). OVM: an ontology for vulnerability management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (pp. 1-4).
[20] Nikbakht Bideh, P., Höst, M., & Hell, M. (2018). HAVOSS: A maturity model for handling vulnerabilities in third-party oss components. In Product-Focused Software Process Improvement: 19th International Conference, PROFES 2018, Wolfsburg, Germany, November 28–30, 2018, Proceedings 19 (pp. 81-97). Springer International Publishing.
[21] Sen, R., & Heim, G. R. (2016). Managing enterprise risks of technological systems: An exploratory empirical analysis of vulnerability characteristics as drivers of exploit publication. Decision Sciences, 47(6), 1073-1102.
