Burning Down the House: Quantifying the Impact of Log4j

Jan 27th, 2022 11:33am by Lawrence E Hecht

Image by LEEROY Agency from Pixabay.

The survey of 428 IT and security leaders conducted between Dec. 3 and 22 demonstrates that people believe the Log4j vulnerability (publicly revealed on Dec. 10) had an immediate impact.

As reported in Anchore’s 2022 Software Supply Chain Security Report, only 22% of the study participants before the Log4j incident reported a moderate or significant impact from a software supply chain attack within the last 12 months. That figure jumped to 35% among those that answered the survey after the Log4j incident. This proves that the community took notice. Perhaps the “impact” was in terms of attention instead of actual costs. Oftentimes, the significance of news events declines as their memory fades away, so we don’t know yet if this will have a long-term effect on security.

The report also demonstrates once again that software, SaaS and Internet security companies are at the frontlines of the fight against supply chain attacks. Fifty percent of respondents at these types of companies reported a moderate or significant supply chain attack in the last 12 months as compared to just 35% of non-technology companies. Software bills of materials (SBOMs) are a tool in this fight. So far, 36% of the entire survey claims to be creating an SBOM for software they build, but the numbers are much lower in terms of using SBOMs to track their own applications or monitor vulnerabilities.

50% of Software/SaaS/Internet company respondents reported a moderate or signficant supply chain attack in the last 12 months vs 35% of respondents at non-tech companies.

Takeaways from O’Reilly and SmartBear Reports

Views of serverless related content dropped 41% to a write-up of the 2021 usage trends of O’Reilly’s learning platform. In contrast, container content views grew 137%. O’Reilly’s audience tends to be conservative, we did take note that other cloud native trends did appear to be accurately represented. They saw jumps in demand for certified Kubernetes training, both for administrators (CKA) and developers (CKAD) jumped in popularity in 2021.

Serverless, Cloud Native, Containers, Architecture, Kubernetes and Microservices Content Viewed on O'Reilly in 2021

Source: 2021 Usage Trends from O’Reilly’s Learning Platform

In 2020, during the pandemic, user stories were de-prioritized during code reviews. According to SmartBear’s annual State of Software Quality | Code Review, less than 34% of testers and developers had included user stories in their review in 2020, but that jumped back to almost 50% in 2021. It might take a year or two more to determine if this will actually have an impact on software quality or user experience. The survey also found that requirements also are increasingly included as something that is included in code reviews.

A follow-up question about asked what tools are used to track requirements. Atlassian’s Jira and Confluence are by far the market leaders. Microsoft productivity tools not meant for the specific use case are runner-ups. The full panoply of application lifecycle management and testing vendors weren’t included in the survey’s question, but if they were would that have changed the results? Requirements management is a functionality, but may not be a market unto itself. What do you think?

Review has expanded beyond code. All artifact review types except Schematics saw a significant increase as a part of teams' review process. [this description comes from SmartBear's website]

Source: SmartBear Software’s State of Software Quality | Code Review 2021

Jira, Confluence, Microsoft Word and Microsoft Excel are the most cited tools used for requirements management in this chart.

Lawrence has generated actionable insights and reports about enterprise IT B2B markets and technology policy issues for almost 25 years. He regularly works with clients to develop and analyze studies about open source ecosystems. In addition to his consulting work,...