![\"\"](\"https:\/\/solutionsreview.com\/endpoint-security\/files\/2022\/03\/3-Tips-to-Improve-Open-Source-Software-Supply-Chain-Health-and-Security.jpg\")
<\/p>\n<\/p>\n
As part of Solutions Review’s Premium Content Series\u2014a collection of contributed columns written by industry experts in maturing software categories\u2014Donald Fischer, the co-founder and CEO of Tidelift<\/a>, shares some insights on improving the health and security of an open-source software supply chain.<\/em><\/strong><\/p>\n Open-source has been an enormous gift to application development, and we often take for granted what a marvel it is that we even have all of this free code available to use. Yet, at the same time, recent events like Log4Shell, the vulnerability that impacted the ubiquitous Java logging component Log4j, have many organizations more focused than ever on how to improve the health and security of their open-source software supply chain.<\/span>\u00a0<\/span><\/p>\n Log4j is a Java logging component that has been in use for over 20 years. It was developed and maintained by unpaid volunteers and has over 3,600 dependent packages in the Java language ecosystem. In late 2021, a vulnerability was discovered in Log4j, nicknamed Log4Shell. <\/span>\u00a0<\/span>Log4Shell is widely considered among the most severe software vulnerabilities in history. It allows attackers to execute code remotely and insert malware or take control of impacted devices, potentially numbering in the hundreds of millions.<\/span>\u00a0<\/span><\/p>\n Assessing the impact of and remediating Log4Shell was and, for many organizations, continues to be an expensive, challenging, and time-consuming effort. First, Log4j is ubiquitous\u2014almost every organization uses Java, which means they use Log4j. Second, most organizations don’t have a good process for managing open-source across the enterprise. This means that when another Log4Shell-style vulnerability emerges, they’ll experience this same pain again.<\/span>\u00a0<\/span><\/p>\n![\"\"](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2022\/01\/SR-Premium-Content.gif\")
<\/span>When it comes to modern enterprise application development, open-source software is everywhere. Some surveys have found that <\/span>more than 90% of modern applications contain open-source components<\/span><\/a> and for a good reason. Developing applications with open-source gives organizations an enormous head start\u2014billions of lines of freely available code that can be downloaded and used to accomplish everyday tasks, allowing developers to focus on the pieces unique to their app.<\/span>\u00a0<\/span><\/p>\nWhat is Log4Shell, and why was it so dangerous? \u00a0<\/strong><\/h3>\n
3 Tips to Improve Your Open-Source Software Supply Chain’s Health and Security<\/strong><\/h2>\n
\n
![\"Download](\"https:\/\/solutionsreview.com\/endpoint-security\/files\/2019\/01\/endpoint-security-speedbump-cta.jpg\")
<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"