The FTC’s warning to companies about the failure to protect against open source vulnerabilities

In direct response to the Log4j vulnerability, the United States Federal Trade Commission published an alert. Net? If your company does not take proactive steps to prepare for future vulnerabilities like Log4Shell, not only do you risk legal and financial damage to your business because of hacks and data breaches, but potential legal action by the FTC.

The alert specifies:

  • “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms.”
  • “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
  • ​​”The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.[1]This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

The software supply chain continues to get more complicated. Log4j is a clear example of what can happen to today’s IT systems, which are highly vulnerable to attacks. The FTC’s warning is meant to create urgency for software companies. Failure to find and patch Log4j instances may very well violate the FTC Act.

Let’s be clear. They’re serious. As a reminder, in 2019, they hit Equifax with a staggering $700 million fine because of customer data exposure impacting 147 million consumers. The Apache Struts vulnerability was the reason for the breach. The kicker is that the patch was available at the time of the breach, but it wasn’t applied because there was no one within the organization responsible for vulnerability management. The staggering fine is enough to have significant impact on any business.

Are you mitigating your Log4j risk? Are you prepared for the next vulnerability?

Here are six steps to take now to secure your software supply chain:

  1. Understand the construction of your software pipeline and how software sources, components and packages gain entry.
  2. Produce a precise SBOM that includes all subcomponents, hidden dependencies and associated licenses. Having software component transparency across all applications is more of a reality today than ever before, and the need will only grow.
  3. Shift vulnerability management and license compliance left to minimize and mitigate open source risk early in the devops lifecycle.
  4. Collaborate with key stakeholders across the organization including Security, Software Development, Legal, and Executives to create documented policies regarding open source use. Consider creating an Open Source Program Office (OSPO) or an Open Source Review Board (OSRB) to develop your open source strategy and put a compliance program in place. Open Chain is a great place to start when installing a new governance program or improving the current one at your organization.
  5. Empower software developers by providing ongoing education for security vulnerability and license compliance management.
  6. Implement a Software Composition Analysis solution that identifies both security and license compliance issues in code.

 

Additional Log4j resources:

Leave a Reply

Your email address will not be published.