Security partners must help secure the software supply chain and show companies how that technology works.
Tom Hermann
The discovery of Log4Shell in late December last year caused a stir across all industries as organizations attempted to reveal whether their devices stood alongside the hundreds of millions worldwide using the Java-based logging utility Log4j. Just weeks after the vulnerability was identified, the Federal Trade Commission (FTC) issued a warning to companies that all must apply patches or take legal action.
With the risk of legal action looming, the logical next step would be to apply the necessary patch. This would suffice in most scenarios, but Log4Shell presented a new set of challenges – it was extremely difficult for companies to determine where the patch was needed. The aftermath of this vulnerability left companies struggling to determine if the flaw was present in their systems so they could work on identifying the fastest and most efficient course of action. Many organizations turned to their trusted advisors (partners) for advice on solutions and services that could help.
When large-scale security threats emerge, it’s a strong reminder for partners that adversaries are always on the move and finding ways to wreak havoc on business. Now, more than six months after the initial Log4Shell discovery, there has been a shift in the channel environment. Businesses are looking for security partners that will enable them to stay protected from today’s unavoidable business threats.
What does this mean for the channel and how can organizations ensure that their security expectations are met? Let’s see.
The channel and software security
Software and application security (AppSec) has been raised in partner discussions following Log4Shell and attacks such as SolarWinds with far-reaching implications for the software supply chain as organizations have become increasingly aware of the threats that exist within their digital environments. These kinds of vulnerabilities and attacks that affect companies of all sizes, regardless of their industry, draw attention in a way that drives companies to re-examine their security profile.
These extensive security threats have reminded organizations that — just like when a car engine is running, it doesn’t mean a mechanic isn’t lifting the hood to examine what’s underneath during a regular checkup — they also routinely learn the intricacies of their security tools to make sure that everything is working properly. When organizations take a deeper dive, most realize that they are largely oblivious to the software they use. This is a new opportunity for partners to provide advice and solutions.
There is a worrisome separation between users and their software. Open source has become a fundamental part of software. In fact, 98% of software and Internet codebases contain open source, in addition to 96% of enterprise software/software-as-a-service (SaaS). Despite open source being widely adopted in everyday business software, 85% of codebases contain open source that is more than four years out of date and 88% use components that were not the latest version available. These numbers should sound alarming – there is a lack of software maintenance, indicating that most systems don’t stay up to date.
These outdated systems put companies at greater risk of successful exploitation by cybercriminals. Perhaps the most worrisome part of outdated systems is the reality that most remain obsolete due to the unfortunate fact that many don’t know what’s in their systems or have an updated version available. Modern software requires unique supervision that many are not used to or cannot handle.
Software and application security have become core components to enable business continuity, but even the most reliable vendors are not…