Open source security leader Brian Behlendorf discusses the impact of Log4j

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more


Over the past few weeks, the world of computer security has turned upside down as teams have struggled to figure out if they need to worry about Log4j vulnerabilities. The relatively small Java library didn’t do anything flashy, but it was a streamlined open source tool for tracking software events and made it popular with Java developers. That means he often gets into corners that people don’t expect.

While security teams themselves will continue to discuss the nature of defects and discover similar problems, many are wondering how this could change the industry’s reliance on open source practice. Everyone enjoys free tools until a problem like this appears. Is there a deeper problem in open source development that has caused this? Can society continue to rely on open source rewards without changing its expectations and responsibilities?

VentureBeat spoke with Brian Behlendorf to understand the depth of the problem and also tried to understand how software developers could prevent another flaw like this from gaining such widespread distribution. Behlendorf was one of the original developers of Apache Web Server, and has long been a leader in open source development. It is working with the Linux Foundation and the Open Source Security Foundation (OpenSSF) to find better practices and support them throughout the open source ecosystem.

VentureBeat: Can such a thing happen with a closed source?

Brian Behlendorf: Absolutely. There’s no such thing as bug-free software, right? There [are] The only bugs that have been discovered so far.

Naturally, some software receives much more scrutiny than other software, but there is no reason to believe that commercial software proprietary software is better tested than open source software.

Venturebeat, There’s probably not enough verification anywhere, right?

behlendorf: Asking software developers to re-read and re-check old code is not just a regular practice. Whether merchant or proprietary. For the same reason you don’t see a lot of scientists repeating old experiments. They are not rewarded for revisiting old work.

They are rewarded for doing new work, for adding new features. You are not rewarded for refining the old code. You know, a bit of this code that Larry wrote there? After he left and or left or whatever, no one went back to visit him because he seemed to be working. Looks like he passed the tests. And if it’s so thorny and disagreeable, we want to treat it like a black box.

Venturebeat, The same is true of open or close source teams.

behlendorf: Incentives, whether commercial or in open source code, do not really favor going back and looking at this content. Disasters like this often take place to persuade people to make an effort [finding] This stuff.

Venturebeat: I was working on a project, and we’ve made a filtering feature more fancy, like, offering arbitrary regex filtering. The manager said it was ‘pretty awesome’ and “dial it back.” Well, we left the arbitrary regex code there and put a pull-down menu with only a few options that, in turn, feed the rejex on the backend. I think something similar happened with the Log4j team here, right?

behlendorf: Absolutely. I think in both proprietary and open source code, there is a tendency to say “yes” when someone shows up with a code that implements a new feature. There is a tendency to adapt it to increase the pool of developers around the project. Let’s make the mistake of saying “yes” to people who seem reasonable.

Venturebeat: But then it opens the door to problems, right?

behlendorf: Absolutely. Do you have logging utility parsing for formatting? User-contributed input, among other things, should there be instructions for expanding the content? The answer would be, “No.” In fact, this is something that is in our secure coding guide and training material that we put on EDX as part of the OpenSSF activity. We especially recommend trusting any form of user input. But if your inclination is to say “yes” until the new features are proven wrong, then you are about to end up with a surprise like this.

Venturebeat: But if you start rejecting things, the project dies too, right?

behlendorf: The opposite of this means saying “no” to everything unless it has been thoroughly verified. It can also be a recipe for obsolescence. A road where there is no discovery or no risk taking or no new features at all. There [are] The two ends of the spectrum, and we want to navigate the path between them.

Venturebeat, You mentioned some OpenSSF courses. Do you think we can develop meta processes to try to capture these kinds of things?

behlendorf: Certainly. There is a corpus of knowledge about how to write software defensively. And to be thoughtful about how you normally deal with what’s going on below your abstract levels, this is often not part of the computer science education system. As well as that it is definitely not a part of more professional training. We need to think more about writing coding defensively and writing for a zero-confidence environment.

Maybe we need to start expecting[ing] Those who become maintainers either take a course like this, or prove their mastery in some other way.

VentureBeat: Do you think it’s possible to do any kind of automation with this? I remember some people in the OpenBSD group wrote a lot of small scripts in search of basic anti-patterns to avoid.

behlendorf: Of course, there [are] Static analysis tools and phaser. SAST tools are actually designed to try to find some of these common errors. But in the case of Log4j, it is not clear to me that the tools would have caught it. It was a kind of deliberately missed design flaw. I don’t know any of them that highlight the problematic architecture because it requires an almost AI-level awareness of what the program was intended for.

VentureBeat: Maybe it could be a big part of the infrastructure?

behlendorf: Yes. That could be in the long run, where you know, we got started [seeing] Applicable to AI system coding. You saw it on GITHUB. They call it but AI-assisted and kind of software development techniques are where it is [thought] Like autocomplete from them but for software development

They cost money to use and can be a barrier for those teams to pick it up.

The other problem is that a lot of these tools generate a lot of false positives, a lot of things that seem to be wrong, but aren’t. It is difficult to go through the false positives to try to solve the problem. Is this a legal issue or something seems wrong?

So one thing we want to do on OpenSSF [work to] Figure out, “How can we help bring together a common portal for reports of such tools where they are executed?” Software developers who are at the forefront of this project, such as Log4j, may begin to differentiate between false positives. And mark it, “Don’t bother me again with this,” you know, and try to get a little economy. Instead of lots and lots of different people running these tools have to go and separate independently. It is difficult to get completely right through automation.

Back in May, I believe the White House ordered a software bill of materials. Basically, labeling on a software package that tells you what’s inside. When a new vulnerability comes out, it allows you to quickly find out what’s inside my deployed software. To say, “Oh here is where I’m using log4j, even though it was three layers embedded inside another black box.”

Venturebeat, I’m concerned that this will make people more scatterbrained than libraries.

behlendorf: We tend to promote atomization in software packages. It is common today to have hundreds to thousands of dependencies. Not long ago, there were some libraries (left pad) that were pulled because someone had a dispute with someone over whether it was about licensing or branding. This had a downstream ripple effect where internet services were going down because teams could not advance the update in production or things were failing and brittle when they did.

This should make people aware because we need to be serious about safety and resilience in how we build and move towards production. Pulling these tiny little bits together into one common platform would be really helpful. Then check her so she has everything up to date. So everything here is designed to work with each other. I would like to focus more on returning to integrated libraries.

Venturebeat, You did Talked about some new projects coming up on the road from OpenSSF to solve these problems. Can you talk about them?

behlendorf: We’re still putting the pieces together. Since last year, the project, which is part of the Linux Foundation, which includes its members like Microsoft, Google and many financial services companies, has been focusing on software as a supply chain, right? From the original developers to the end-user by building and incorporating these dependencies [are] All of these places have a kind of perception of how the world works.

What we’ve launched are training efforts for better security on edX. We will begin to use the funds we have received to carry out targeted interventions and for some of the more critical parts of the infrastructure that will be really helpful. Did you know that static analysis scans, and is there any way to scan the security of a person who comes in and does something?

VentureBeat: Is there a way to support projects yourself?

behlendorf: We feel that security teams like Apache, or the Python Foundation or the Node.js community have not really received much attention. As such, how do they work? How are they resourced? What standards do they adopt? We plan to work with those security teams to develop common standards for how to run a security team on an open source project. Maybe find ways to channel funds directly to those teams so they can be more proactive.

One of the things that open source projects strive for is minimal practical administration. They all try to say, “What is the least amount of bureaucracy we can remove while protecting our privacy from a legitimate point of view?”

This means that security teams have less resources. And that means they are shy about establishing requirements for things. Like, if you’re a project maintainer, you’ve got security training, right? Perhaps part of the shift that we can make in moving in a certain direction is to help foundations find the resources they need to better provide security teams. Maybe even those with paid security experts on teams who can go and actively find the next Log4j vulnerability in their code. We’ve put together a bunch of funds to do some interesting stuff in this domain, and you’ll start seeing some ads soon.

Venturebeat

VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published.