Inicio Health Log4Shell: Cisco Presents Testimony to Senate Homeland Safety and Governmental Affairs Committee

Log4Shell: Cisco Presents Testimony to Senate Homeland Safety and Governmental Affairs Committee



I just lately had the privilege of offering testimony to the U.S. Senate Homeland Safety and Governmental Affairs Committee relating to Cisco’s remediation of the Log4Shell vulnerability. To make clear, Log4Shell is the software program vulnerability in Apache Log4j 2, the favored Java library for logging software error messages.

My testimony included addressing how Cisco responded to guard its enterprise and our Cisco clients, the safety challenges ensuing from the ubiquity of open-source code, and actions the Federal authorities and Congress can take to enhance software program safety. I used to be one among 4 security-industry witnesses, who offered each written and verbal testimony to the Committee.

The impression of Log4Shell

To share some transient background, on December 9, 2021, a vital vulnerability was revealed within the Log4j library utilized in most java functions on the Web. This pressured organizations all over the world to determine how they had been utilizing Log4j, the potential publicity that wanted to be addressed, and the way they may finest handle the related dangers.

For Cisco, the scope and variety of our know-how enterprise embrace defending each our inner enterprise and our clients who use Cisco’s on-premises {hardware} merchandise and cloud-delivered providers. We would have liked to shortly determine the presence of the vulnerability to use obligatory fixes, utilizing danger assessments to prioritize our efforts. With Log4j, our inner networks had been patched, and fixes had been accessible for susceptible on-premises merchandise throughout the first two weeks of notification.

Cisco’s fast response to Log4Shell

This important pace in response time was pushed by classes realized from the previous, Cisco’s ongoing automation, and quite a few safety investments which allowed us to evaluate and mitigate in a short time. We additionally collaborated carefully with {industry} friends and authorities companies, together with the Division of Homeland Safety’s Cybersecurity and Infrastructure Company (CISA), to achieve a greater understanding throughout private and non-private sectors throughout incidents like Log4j.

Cisco is among the many world’s largest customers of, and contributors to business open-source software program (OSS). We do acknowledge that there are shared dangers from shared improvement infrastructure, which is why Cisco makes important investments to enhance the safety of extensively used open-source initiatives, together with our work with the Apache Basis.

Boosting cyber resilience

Given its inherent reliance on human interface, all software program, not simply OSS, has the potential to comprise vulnerabilities and requires safe lifecycle administration. Whereas there isn’t a silver bullet to safeguard us from additional vulnerabilities, we have to regularly enhance baselines for all software program safety, enhance our pace and effectivity at discovering and fixing issues, and increase our resilience in opposition to assaults.

The safe software program improvement and zero-trust networking necessities in Govt Order 14028 are essential steps ahead—no matter whether or not they would have prevented the Log4Shell vulnerability. We are going to proceed our efforts to form these necessities in partnership with key federal companies, together with CISA, and to drive adoption inside Cisco and by our {industry} friends.

Further sources






Por favor ingrese su comentario!
Por favor ingrese su nombre aquí