Episode 33

Log4Jelly of the Month Club

Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise.

Join us this week as we cover:

The Log4J vulnerability and saga in a nutshell
The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability
The critical need for system and application (and library) inventory and keeping up to date
How best to react when the media and public discussion picks up on a vulnerability and causes a stir
The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day
What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j
How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process
Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them

We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

Support The Great Security Debate

Links:

Episode 33

Log4Jelly of the Month Club

About the Podcast

Listen for free