Ravi Dhungel

Software systems are inherently complex. The vulnerability of the software systems in critical infrastructure is a national security concern. To build a software application, thousands of lines of code are written by the software developers. Many of the codes are open source - managed by communities and the code and applications are provided free of cost with some licensing requirements. Codes written by private corporations and government entities are proprietary and confidential information. Log4j2 was written by apache foundation and is the open source library for logging used primarily in Java applications.

There are many reasons for the software vulnerability. One of the major reasons is human error or the poor quality in the software development process. If the software is tested rigorously, much vulnerability can be fixed during the development cycle. However, testing the software rigorously is not an easy task and is out of the scope for many reasons - often the application consists of the external libraries that are developed by the external entities and the development team doesn’t have experience on building those libraries. Also the cost drives the software testing. Development teams have to rely on third parties to improve the quality of their applications. Writing a new operating system and all the stacks on top of it is very expensive and not feasible. With the microservices architectures, the application has to rely on third parties API’s (Application Programming Interface) and software supply chain continues to be critical for data security.

Software vulnerability
Log4j2 is zero day vulnerability. This is the most severe software vulnerability in a generation. Java is the most widely used programming language on the internet. According to Wikipedia “zero-day is a computer-software vulnerability either unknown to those who should be interested in its mitigation or known or a patch has not been developed. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programmes, data, additional computers or a network.” The patch has already been developed for log4j. The scope of the log4j2 vulnerability is very high as apache foundation lists at least 43 applications vulnerable to log4j developed by Apache foundation. Apache foundation is one of the most widely used open source community that also develops apache web server - one of the most widely used web applications on the internet that is not written in Java.

The log4j flaw allows bad actors to execute code remotely on a target computer, which could let them steal data, install malware or take command and control. In simple terms, any request made on the internet by your browser is logged in the application server if it is running the Java and log4j2 library. This logging is done by the open source software log4j2 that makes the system vulnerable. Because of the flaw, the attacker can remotely connect to the remote server and steal the data.

Law enforcement agencies like Nepali Army, Nepal Police and Armed Police Force should develop Cyber warriors - the special cyber force that can fix the software vulnerabilities, deploy immediately and also coordinate with international law enforcement agencies to curb the challenges of global and national security of digital infrastructure. Nepal should establish a threat intelligence sharing platform between government entities and private entities. Furthermore, threat Intel can be developed for different types of industry ex FS-ISAC for financial institutions, DB-ISSAC for defence industrial base. E-ISAC for electricity threat Intel sharing like in the United States.

Private organisations should empower themselves with the cyber security engineering workforce. Private organizations should be forthcoming on any cyber security related threats and breaches and report to the law enforcement agencies immediately. As a private citizen, you should be lobbying for better public policy on cyber security and privacy. As secure cyberspace is critical both for kids and adults, it is the responsibility of citizens to educate themselves and the government for the next generation of technologies we will be using and building.

As an individual, it's very less likely that you will be directly impacted. But it's very likely that you are already using the software applications written in Java core that uses log4j2 logging libraries. If you know the vendors, they should have already mitigated the vulnerability and published it on their website. If you are curious, just do some research on the applications that you are using.

Software inventory
The biggest challenge in software security lies in the management of the supply chain process. With hundreds of libraries and microservices being developed inside and outside the organisation, management of libraries becomes a challenge. Log4j2's biggest challenge is also a supply chain. Most java applications use the log4j2 logging library. While buying a new software or hardware proper supply chain management and vendor risk management process should be developed both in private and public enterprises. More specifically, if the infrastructure is related to critical infrastructure, there should be a provision to make the defence clearance and ensure that the product is of national interest by Nepalese Army.

The importance of software inventory at the national level is critical so that law enforcement agencies proactively deploy their cyber warriors in case of emergency and mitigate the vulnerabilities in the critical infrastructure. Vulnerabilities management process should be a continuous process. Monitoring and scanning the digital environments using static and dynamic scanner should be ingrained in the continuous integration and continuous deployment process of the software development. Sooner or later new vulnerabilities will be found and the organization should have processes in place to patch the vulnerabilities as soon as possible. The organization should develop metrics for monitoring vulnerabilities and decrease the Minimum Time To Patch (MTTP).

(Dhungel is the Chief Information Security Officer at www.esrtech.io. ravi@esrtech.io.)