The first report from the U.S. Department of Homeland Security’s Cyber Safety Review Board today declared Log4j an “endemic vulnerability.”

Log4Shell first emerged in December and actively targeted vulnerabilities found in Apache Log4j, open-source software used by numerous companies. The initial vulnerabilities, including subsequent others, allow hackers to access affected systems. The vulnerabilities were targeted by run-of-the-mill criminal hackers and state-sponsored hacking groups as well.

The Department established the Cyber Safety Review Board in February to bring together government and industry leaders to elevate cybersecurity. CSRB reviews and assesses significant cybersecurity events so government, industry and the broader security community can better protect networks and infrastructure. Five months later, that is what it has done with Log4j.

The report, which includes 19 actionable recommendations for government and industry, describes Log4j as “among the most serious vulnerabilities discovered in recent years.” The recommendations focus on driving better security in software products and enhancing public and private sector organizations’ ability to respond to severe vulnerabilities.

The recommendations reflect those made by cybersecurity companies and government bodies previously, however, the standout from the report is the declaration that Log4j is an “endemic vulnerability.”

“Log4j is not over,” the report states, adding that “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer” and that “significant risk remains.”

The board argues that the Log4j event illustrated how counterintuitive cybersecurity defense can be for both individual enterprises and the ecosystem. On the one hand, it said that Apache did many things right, including having a well-established software development lifecycle. Yet organizations still struggled to respond to the Log4j event and the hard work of upgrading vulnerable software is far from complete across many organizations.

The report also questioned attention to security risks unique to the thinly resourced, volunteer-based open-source community. The board argued that the community is not adequately resourced to ensure that code is developed pursuant to industry-recognized secure coding practices and audited by experts.

Royal Hansen, vice president of security at Google LLC, who took part in the Cyber Safety Review Board’s study, said in a statement that Google supports the report’s findings and looks forward to “continuing to partner with the department, industry stakeholders and other government entities around the world to strengthen our security ecosystem.”

Chad Skipper, global security technologist at VMware Inc., told SiliconANGLE that cyber vulnerabilities will continue to be around and will evolve and become more sophisticated over time. “Continuous perseverance and drive for security hygiene is one of the most effective paths in mitigating exposure,” he said.

Skipper noted that since January, VMware NSX Network Detection and Response had tracked more than 25 million exploit attempts against Log4j. “We’ve seen a positive response to virtual patching that can help teams mitigate risks by offering a quick and temporary prevention of an exploitation while the security engineers adapt and implement a remedy to eventually mitigate actions,” Skipper added.

Former Google security engineer Dan Lorenc, now chief executive officer of software supply chain security company Chainguard Inc., said the most important takeaway is that the board concludes Log4j could have been prevented, which he said is more or less true.

“Preventing another Log4j from occurring is possible, but it is going to require a fundamental shift in several critical areas by many,” Lorenc explained. This includes “a collective approach to support the open source community through resources and defining security standards across the industry and increased focus by the private and public sector organizations to build security into their software development process and define how they assess risk in the management of that software.”

Image: DHS