Software development is still ignoring security. That needs to change fast

If one event demonstrated how vulnerable organisations and infrastructure around the world are to software vulnerabilities, it was Log4j.

The critical zero-day vulnerability in the Java logging library Apache Log4j enabled attackers to remotely execute code to gain access to devices and networks. And because the open-source software was embedded in a vast array of applications, services and enterprise software tools, it had the potential for widespread and long-term disruption.

No wonder director of US cybersecurity and infrastructure agency CISA Jen Easterly described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

Security patches were quickly developed and organisations quickly moved to apply them, although the ubiquitous nature of Log4j’s open-source code means there will be software and applications out there which won’t receive the update, especially if nobody realises Log4j was part of the development process.

Log4j is just one example of severe security vulnerabilities being uncovered in software that has been used for years – and it came 20 years on from when then-Microsoft boss Bill Gates issued his Trustworthy Computing memo, which urged Microsoft’s developers to produce more secure software after various bugs and security holes were

Read More: