How a Zero-Day Lasts 365: One year since the Log4j Vulnerability

Logo
Presented by

Brian Fox (CTO, Sonatype), Ilkka Turunen (Field CTO, Sonatype), Steve Poole (Developer Advocate, Sonatype)

About this talk

When your team experiences a zero-day there’s usually one goal: remediate fast. So how are over 30% of Log4j downloads still vulnerable one year later? As one of the most visible software supply chain attacks in years, the easy-to-exploit risk from Log4j hasn’t dissolved. We revisit December 2021 with a new understanding of how the Log4j and OpenSSL vulnerabilities persist post-fix. The hosts that covered the exploit in 2021, Brian Fox, CTO at Sonatype, Ilkka Turunen, Field CTO at Sonatype, and Steve Poole, Developer Advocate at Sonatype, come back together to explain: - The high-risk habits of open source consumers compared to project maintainers - The truth about transitive dependencies causing 6 out of 7 project vulnerabilities - The ripple of Log4j that sparked the Cybersecurity Executive Order and a movement to reveal hidden components - How to stop a zero-day on the same day with a software supply chain fortified by transparency
Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (29)
Subscribers (6498)
Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code, infrastructure as code, and containerized code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.