Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
74 views10 pages

Log4 Security Patching Lessons

The document discusses the log4j security vulnerabilities from December 2021 and the efforts of a cybersecurity team in Mauritius called Cyberstorm to audit dependencies and patch over 30 open source packages. It raises questions about unmaintained libraries becoming a security problem and how developing countries can contribute more to open source software security.

Uploaded by

Loganaden Velvindron
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views10 pages

Log4 Security Patching Lessons

The document discusses the log4j security vulnerabilities from December 2021 and the efforts of a cybersecurity team in Mauritius called Cyberstorm to audit dependencies and patch over 30 open source packages. It raises questions about unmaintained libraries becoming a security problem and how developing countries can contribute more to open source software security.

Uploaded by

Loganaden Velvindron
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Log4j security patching

lessons
Loganaden “Logan” Velvindron (Cyberstorm.mu team)
Logan at cyberstorm.mu
Log4j
-Logging library

-Popular among developers.

-Made headlines in December due to major security flaws.


Log4j over time
-Became complex over time

-Features added leading to security flaws.


In Africa
When log4j security flaws made headlines, many of us (at our respective
companies) started auditing our dependencies.

We started “Operation log4j”.

Several of us realized that due to transient dependencies, there were several


packages affected.

-Cyberstorm team made of bored hackers ranging from high school students to
experienced software engineers.
Operation l4j
-Hackathon started in Mauritius.

-Several open source packages patched. (over 30).

-We celebrated christmas and new year while watching github merge and
feedback requests :-)

-Inspired by Operation Rosehub and the OpenBSD project (OpenSSH, LibreSSL).


Typical example
example
Benefits
-Africa is active during log4j security crisis.

-Developing countries can contribute.

-It could make CERTS in Africa more relevant.

-Africa has been a passive follower but we are trying to change that.
Libraries no longer maintained.
Open questions
-Unmaintained libraries could become a problem.
-Typical US developer makes 10k USD/month, could we look at moving
maintainership to developing countries for orphaned/unmaintained but still widely
used libraries ?
-Companies are adopting open source software but they don’t have an inventory
of what they use exactly. SBOM is becoming relevant.
-OpenSSF was announced, but it seems very US-centric. However, we did receive
welcoming words when we joined. We are closely watching out how it will
progress and how African countries and companies can be part of this.
Thanks to
-Organizers who invited me to talk about our work (COSCUP)

-All cyberstorm.mu team: Bruno Bernard, Nathan Mungur, Jagveer Loki, Chandish
Daboo, Alex Bissessur, Neel Gopaul, Terry Naiken, Jeremie Daniel & Rahul
Golam.

-All developers who were responsive to our patches.

-Guys who bought our stickers :-)

You might also like