Series 11 – Episode 4 – Preventing future Log4J catastrophes
Paige West speaks with Brian Fox, CTO, Sonatype about how enterprises in 2023 must become more disciplined about managing the open source software they use in their supply chains.
Open source is popular, especially with modern systems. It allows developers to be much more productive and not have to recreate the wheel over and over again.
“The modern application is composed of about 90% open source components. So, the software developers at an organisation are typically writing about 10% of the code,” Fox notes.
The problem is open source has some vulnerabilities.
“I think the assertion that it’s more vulnerable is not correct. I think if we were able to see the custom code, you will probably find that, on average, the quality is better.
“What the challenge is, is that the attackers are engineers like the rest of us and they’re trying to figure out how to maximise their ROI.”
Log4J is the prime example for open source vulnerabilities being a problem.
“I think what Log4j finally brought to the forefront, where everybody sort of had this collective freak out, was that we’re all critically dependent upon these things.”
Fox goes on to talk about why open source is being targeted, what organisations can do and how he sees the software supply chain evolving.