When your team experiences a zero-day there’s usually one goal: remediate fast. So how are over 30% of Log4j downloads still vulnerable one year later?
As one of the most visible software supply chain attacks in years, the easy-to-exploit risk from Log4j hasn’t dissolved. We revisit December 2021 with a new understanding of how the Log4j and OpenSSL vulnerabilities persist post-fix.
The hosts that covered the exploit in 2021, Brian Fox, CTO at Sonatype, Ilkka Turunen, Field CTO at Sonatype, and Steve Poole, Developer Advocate at Sonatype, come back together to explain:
- The high-risk habits of open source consumers compared to project maintainers
- The truth about transitive dependencies causing 6 out of 7 project vulnerabilities
- The ripple of Log4j that sparked the Cybersecurity Executive Order and a movement to reveal hidden components
- How to stop a zero-day on the same day with a software supply chain fortified by transparency