Why can't everyone just say which libraries they use, would make it a lot easier to search for log4j vulnerabilities.

And yes, I'm guilty of this myself too

  • 0
    That would also make it much easier to find any potentially vulnerable systems when a new similar exploit is found in some other library.

    Sure obscurity is not a good security measure but it can slow down an attacker.
  • 5
    @Voxera That's plain wrong. Attackers just use automated attacks and don't care which exact application is there with the bug open. Which is also why is slows down the defenders even more.

    If you're doing actual security instead of superficial checklist compliance snakeoil, then there's no issue in being transparent.
  • 8
    The problem are transitive dependencies in most cases.

    If you don't use any form of build system, I'd understand having hardship maintaining dependencies - but why would anyone with a sane mindset do this?

    Any build system should be able to generate a list of dependencies including transitive dependencies.

    Additionally there are things like scanners, e.g. Trivy for Docker, OWASP dependencies checker etc., which do exactly that and even give you a CVE list to shove it up... To highlight the importance of maintenance to your manager / team lead / ...

    These things should run in any good form of CI / on an automated basis to assure you don't overlook stuff.

    Log4J got so much hype that many people seem to have forgotten that new zero days occur in any form daily.

    If you have no such things integrated in your build pipeline or not as a cronjob, then you've pretty much failed the most basic task in security: Ensuring monitoring.
  • 4
    @IntrusionCM Came here to say exactly this.
Add Comment