Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise.
Join us this week as we cover:
- The Log4J vulnerability and saga in a nutshell
- The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability
- The critical need for system and application (and library) inventory and keeping up to date
- How best to react when the media and public discussion picks up on a vulnerability and causes a stir
- The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day
- What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j
- How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process
- Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them
We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.
Support The Great Security Debate