NEW DELHI :
On 24 November, Chen Zhaojun, a security researcher who was part of the Alibaba Cloud Security team, alerted the Apache Software Foundation about a critical vulnerability in a widely used logging software called log4j 2. The vulnerability was made public on 9 December and patches were subsequently released by the foundation.
Cybercriminals, however, were quick to take advantage of the loophole and have intensified attempts to identify applications and servers that may be vulnerable and could be exploited to carry out ransomware attacks.
Attackers have already made attempts to exploit the log4j 2 vulnerability in 41% of Indian organizations, according to Check Point Software, a cybersecurity firm.
Log4 Shell, however, is just one of the many software vulnerabilities that have been reported this year. According to a Hacker One report published this month, 66,547 software bugs were detected in 2021. This is 21% higher than the previous year.
“Software vulnerabilities are bugs or mistakes that could be exploited by threat actors to execute a cyberattack. One of the reasons we encounter so many software vulnerabilities is the sheer number of applications produced today compared to a decade ago,” said Ashwin Ram, cyber security evangelist at Check Point Software. An increase in application development means an increase in attack surface as every app with a vulnerability is a potential target.
“Most modern software will have multiple zero-day vulnerabilities in them,” cautioned Tushar Richabadas, senior product marketing manager – applications and cloud security at Barracuda, a cybersecurity firm.
Security experts feel the growing emphasis on borrowing codes from third-party libraries without vetting them properly instead of writing them from scratch is one of the major red flags that has contributed to the problem.
“DevOps has changed. A few years back, developers used to write 80% of the codes while 20% was borrowed from libraries. It’s exactly reversed right now. Developers are hardly doing any coding and software development is all about these libraries with pre-baked codes,” said Huzefa Motiwala, director, systems engineering – India and SAARC at Palo Alto Networks, a cybersecurity company.
Motiwala feels developers should adopt a shift-left approach and embed security at every stage of the development cycle, especially at the point when they are borrowing codes.
He has a point. After the pandemic, dependence on third-party code libraries has skyrocketed, especially in emerging markets such as India, which is facing a severe shortage of tech professionals, including programmers.
A case in point is CodeCanyon, one such library, which saw revenue from India grow by 184% year-on-year last year after the pandemic forced businesses in India to build an online presence.
To be sure, this does not mean all third-party code libraries have vulnerable codes. However, Ram cautioned that threat actors often use open-source codes as a delivery mechanism for backdoors into applications. “This is why a zero-trust mindset of ‘never trust, always verify’ must also be extended to software development,” he added.
This is also linked to the fact that these days applications are developed, published and updated at a much faster speed than they were a few years ago. Post pandemic, businesses have been under enormous pressure to rush products to market. Ram said, “Businesses also expect applications to be published quickly, perhaps to capitalize on competitive advantages with faster time-to-market. This, in turn, can further push the publications of half-baked applications.”
