• Latest
  • Trending
3 Reasons Why Contrast SCA Is Best for Log4Shell Rapid Response

3 Reasons Why Contrast SCA Is Best for Log4Shell Rapid Response

December 22, 2021
iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022
AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

May 17, 2022
Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana

Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana

May 17, 2022
Nokia Moves HR Functions to Oracle Fusion Cloud HCM

Nokia Moves HR Functions to Oracle Fusion Cloud HCM

May 17, 2022
Ericsson and Turkcell Perform Turkey’s First 5G Connected Mobile Robot Demo

Ericsson and Turkcell Perform Turkey’s First 5G Connected Mobile Robot Demo

May 17, 2022
Relativity and ENSafrica to Help Expand the African Cloud Capabilities

Relativity and ENSafrica to Help Expand the African Cloud Capabilities

May 17, 2022
MTN Nigeria Adopts LigaData’s Time Machine

MTN Nigeria Adopts LigaData’s Time Machine

May 17, 2022
NVIDIA Certifies NetApp EF600 For DGX SuperPOD

NVIDIA Certifies NetApp EF600 For DGX SuperPOD

May 17, 2022
PNY Announced XLR8 DDR5-6000 MAKO RGB Memory Kits

PNY Announced XLR8 DDR5-6000 MAKO RGB Memory Kits

May 17, 2022
V-Color Manta XPrism RGB SCC DDR5-6200 CL36 2x 16 GB

V-Color Manta XPrism RGB SCC DDR5-6200 CL36 2x 16 GB

May 17, 2022
WD Announces WD Black SN850X and P40 Game Drive

WD Announces WD Black SN850X and P40 Game Drive

May 17, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Tuesday, 17 May, 2022
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

3 Reasons Why Contrast SCA Is Best for Log4Shell Rapid Response

by ITECHNEWS
December 22, 2021
in Leading Stories, Opinion
0 0
0
3 Reasons Why Contrast SCA Is Best for Log4Shell Rapid Response

With Log4j being such a ubiquitous library embedded in tens of millions applications across the Java ecosystem, it’s fairly obvious to understand why the Log4Shell CVE is being treated as a DEFCON 1-class situation. To add salt to the wound, many of the tools leveraged by Security, Ops, and Development teams are ill suited to respond to this crisis. Here at Contrast, we have already heard from several customers about how they are forced to run complicated, custom scripts, and advanced queries to understand what applications are running vulnerable versions of Log4j, if they’re using the vulnerable class, and if patching is even viable. Just recently Sándor Incze, CISO at CM.com said, “We were able to analyze whether our own built software would be vulnerable to the Log4j zero-day…” Mr. Incze is not alone in this regard. Software Composition Analysis (SCA) tools that live in the code repository are heavily over-reporting instances of log4j as evidenced by Contrast Co-Founder and Chief Scientist, Arshan Dabirsiaghi, where he presented data showing that only 37% of Java applications actually invoke log4j2.

 

YOU MAY ALSO LIKE

iOS 15.5 arrives ahead of Apple’s annual developer conference

Researchers devise iPhone malware that runs even when device is turned off

Tools that present a deluge of irrelevant findings lead security teams to chase their developers to patch libraries that aren’t actually used by their application! In short, in the event of a zero-day incident response scenario, SCA tools need to enable teams to easily identify applications at risk, confirm which of them are actually vulnerable, and provide a quick means to institute some form of protection in place.

Enter Contrast and its cross-platform approach to Software Composition Analysis. Contrast SCA is uniquely suited to respond to the ongoing Log4Shell dilemma as it takes not only the third-party code into account, but how and if third-party libraries are invoked by custom code as well. In short, we take the ENTIRE application into account instead of enumerating libraries in isolation. Let’s get into the details.

Reason #1: Regardless of Software Lifecycle Stage, Contrast SCA Detects Vulnerable Versions of Log4j

Contrast SCA is a cross-platform service. Let’s clarify what that means in practice. As a built-in engine within the Contrast Platform, Contrast SCA provides software supply chain risk intelligence through multiple integration points across the software lifecycle. Developers can effortlessly assess for vulnerable third-party libraries within native pipelines via Contrast Scan, during routine software testing via Contrast Assess, and block attacks targeting vulnerable libraries via Contrast Protect. Contrast also extends into cloud-native environments like AWS Lambda by testing for vulnerable libraries in serverless functions.

“Ok, how does that help me with Log4Shell?” Glad you asked! In practice, Contrast SCA works across code, build, test, and production environments to help you identify where you have Log4j in use. Contrast SCA works in tandem with Contrast’s existing AST solutions to find vulnerable versions of Log4j1.x and Log4j2.x – no extra tooling required. Moreover, Contrast can protect against attacks against Log4j when patching or updating is not feasible.

Reason #2: Contrast SCA Flags if Log4j is Actually Used, Not Just Packaged in the Application

Embedding SCA solely at the repository level has its benefits in terms of instituting good open source hygiene among developers. However, within the context of the ongoing Log4Shell crisis, that creates more problems later down the line. SCA tools that only look at the repository report findings in libraries in direct and transitive dependencies that may or may not make it into the actual deployed artifact. Among those dependencies that do make it into production, only a portion of them are used. In fact, according to data from real-world running applications from Contrast Labs, 58% of Java applications package a vulnerable version of Log4j, only 37% actually use it!

If CISO offices expect a nimble response to zero-day events, their teams can’t afford to chase patches for applications that aren’t using the vulnerable component. Contrast SCA solves for this by taking the entire application into account. Instead of testing third-party libraries in isolation, Contrast SCA contextualizes how the running application invokes libraries to help teams determine if the library is actually used.

In responding to Log4Shell, this can be a crucial component in determining a remediation path within the developer CI/CD workflow.

Working in tandem with Contrast SCA, Contrast Scan can identify vulnerable versions of the log4j library and flag instances of log injections for both log4j1 and log4j2. Going one step further, Contrast SCA will even identify if the application is configured to use JMS Appender, a known attack vector within vulnerable versions of log4j1. Developers receive this feedback in real-time within their native CI tooling.

Contrast SCA will automatically inventory your third-party software assets – both COTS and OSS – during routine functional or QA testing. Contrast SCA’s runtime analysis identifies whether libraries are invoked by the running application – including vulnerable versions of JMS Appender. Without this insight, security and development teams waste precious time and resources fixing non-functional libraries pulled in during the build process. This intelligence enables developers to prioritize and focus remediation efforts on the Log4j libraries that pose real risk instead of chasing false positives.

Reason #3: Contrast SCA Catalogues Your Software Supply Chain IN REAL-TIME TO MAKE LOG4J QUERIES AS EASY AS A GOOGLE SEARCH

When stress levels are high, the thing that can make even the most seasoned Incident Response teams go into panic mode is when simple tasks become an exercise in attrition. Answering the question of “what’s in my application?” seems easy in theory, but in practice, it can be enough to turn your hair gray.

Contrast SCA benchmarks your third-party attack surface with a real time inventory of your open source and third-party software libraries. Security teams receive real-time alerts when new vulnerabilities are disclosed for deployed libraries and can export their software inventory into a standardized Software Bill of Materials. This makes it easy to query applications running log4j. There’s no custom scripts or APIs involved, it’s just a matter of typing in a few words in a search bar.

To better understand the embedded layers of risk within their software supply chain, Contrast SCA can generate a dependency tree using the Contrast CLI. With each new build, users can populate a dependency tree to understand which top level library is calling log4j and understand if they need to update, patch, or institute some sort of protection.

Conclusion: To Effectively Contain Log4Shell, You Need a Platform That Provides CONTEXT INTO IMPLEMENTING THE RIGHT FIXES

If there’s one thing you take away from this article, it’s this: in order to properly identify real risk in your third-party code, you also need to take into consideration how that code interacts within the rest of the application. Testing third-party libraries in a vacuum creates noise, siloed results, and just more confusion. It’s precisely this reason that Contrast takes a platform approach to Software Composition Analysis – providing third-party risk intelligence across all phases of the software lifecycle. As your code makes its way from build, to test, to production, your attack layer shifts and only by understanding how custom and third-party code interact with one another, can you effectively respond to zero-day events like Log4Shell.

The Log4j saga is still ongoing. As of the writing of this article, the Apache Foundation recommends updating to Log4j 2.17.0 and that could very well change in the days ahead. Where feasible, consider removing the Log4j library from applications where it’s packaged but not used during runtime. Contrast enables your team to take this more targeted remediation approach and institute the right protection measures when your team is stretched too thin.

Source: Joe Coletta
Via: Security Boulevard
Tags: ApacheContrast SCAJavascriptLog4Shell
ShareTweetShare

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022
AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache

May 17, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

iOS 15.5 arrives ahead of Apple’s annual developer conference

iOS 15.5 arrives ahead of Apple’s annual developer conference

May 17, 2022
Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

May 17, 2022

Recent News

  • iOS 15.5 arrives ahead of Apple’s annual developer conference May 17, 2022
  • Researchers devise iPhone malware that runs even when device is turned off May 17, 2022
  • AMD Ryzen 7000 “Phoenix” APUs with RDNA3 Graphics to 3D V-Cache May 17, 2022
  • Huawei holds maiden ICT to develop 100,000 ICT Talents through LEAP in Ghana May 17, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version