DEV Community

Cover image for What I Learned About the Log4j Vulnerability
Tessa Kriesel for Lacework

Posted on


What I Learned About the Log4j Vulnerability

I was excited to join Lacework for many reasons, but one of the most important was that it provided me with an opportunity to teach developers about security. Developers complete many different courses and training to prepare them for their careers, but security is often an afterthought. There is a subset of us writing lines and lines of code each day, without the background knowledge to ensure that code is secure.

You’ve likely heard the Log4j vulnerability mentioned over the past few days, or seen the memes floating around the internet—and if you’re like me, or not a Java dev, you may be wondering what it is and why so many people are concerned about it. Distinguished Cloud Strategist Mark Nunnikhoven broke it down in an easy-to-understand 4-minute video, which helped bring things into perspective. Log4j is an open-source library that developers use to help figure out what's going on with their applications that are written in the Java programming language. The reason why you’re hearing about it now is because there was a serious security issue and attackers could easily use one of the library’s features to run their code on your systems, and those attackers want to do that to profit from your resources and data. I’ve heard so much information about this over the past few days—to narrow it down for you, here the things that I think are most important for developers to know:

  1. You’re likely only affected if your projects are written in Java.
  2. If you use Java, you should go through your Github repositories and check to see if they include Log4J.
  3. Use an open source vulnerability scanning tool to figure out if specific systems are affected. Jfrog released a tool that can help you determine if your code includes Log4j and a script that helps you find where Log4j is within your code.
  4. It’s important to understand why this vulnerability is a big deal. The attack is so damaging because it’s constantly changing—it’s not a one-time thing. Even when you think you’ve resolved it, there are updates to the software and therefore more vulnerabilities and attacks.

We know what it takes to maintain software. Especially during a vulnerability. Our team believes in the power and benefits of open-source software—we recently donated to the Log4j project committers and the Apache Foundation to support those maintainers working tirelessly behind the scenes. Hopefully this additional backing, along with the support of other developers and companies who are committed to finding a resolution, will help us reach the end of this challenge sooner rather than later.

If you’re interested in learning more about the Log4j vulnerability, this post about the human toll of Log4j maintenance provides a helpful overview and timeline of what’s occurred over the past few days.

Top comments (0)

Here is a post you might want to check out:

Regex for lazy developers

regex for lazy devs

Sorry for the callout 😆