As an Amazon Associate I earn from qualifying purchases from

Log4Shell: Cisco Presents Testimony to Senate Homeland Safety and Governmental Affairs Committee

I lately had the privilege of offering testimony to the U.S. Senate Homeland Safety and Governmental Affairs Committee relating to Cisco’s remediation of the Log4Shell vulnerability. To make clear, Log4Shell is the software program vulnerability in Apache Log4j 2, the favored Java library for logging software error messages.

My testimony included addressing how Cisco responded to guard its enterprise and our Cisco clients, the safety challenges ensuing from the ubiquity of open-source code, and actions the Federal authorities and Congress can take to enhance software program safety. I used to be one among 4 security-industry witnesses, who offered each written and verbal testimony to the Committee.

The impression of Log4Shell

To share some transient background, on December 9, 2021, a important vulnerability was revealed within the Log4j library utilized in most java functions on the Web. This compelled organizations around the globe to determine how they have been utilizing Log4j, the potential publicity that wanted to be addressed, and the way they might finest handle the related dangers.

For Cisco, the scope and variety of our expertise enterprise embody defending each our inside enterprise and our clients who use Cisco’s on-premises {hardware} merchandise and cloud-delivered providers. We would have liked to rapidly establish the presence of the vulnerability to use vital fixes, utilizing threat assessments to prioritize our efforts. With Log4j, our inside networks have been patched, and fixes have been obtainable for weak on-premises merchandise throughout the first two weeks of notification.

Cisco’s speedy response to Log4Shell

This important velocity in response time was pushed by classes realized from the previous, Cisco’s ongoing automation, and quite a few safety investments which allowed us to evaluate and mitigate in a short time. We additionally collaborated intently with {industry} friends and authorities businesses, together with the Division of Homeland Safety’s Cybersecurity and Infrastructure Company (CISA), to achieve a greater understanding throughout private and non-private sectors throughout incidents like Log4j.

Cisco is among the many world’s largest customers of, and contributors to business open-source software program (OSS). We do acknowledge that there are shared dangers from shared growth infrastructure, which is why Cisco makes important investments to enhance the safety of broadly used open-source tasks, together with our work with the Apache Basis.

Boosting cyber resilience

Given its inherent reliance on human interface, all software program, not simply OSS, has the potential to comprise vulnerabilities and requires safe lifecycle administration. Whereas there isn’t a silver bullet to safeguard us from additional vulnerabilities, we have to frequently enhance baselines for all software program safety, improve our velocity and effectivity at discovering and fixing issues, and enhance our resilience towards assaults.

The safe software program growth and zero-trust networking necessities in Government Order 14028 are essential steps ahead—no matter whether or not they would have prevented the Log4Shell vulnerability. We’ll proceed our efforts to form these necessities in partnership with key federal businesses, together with CISA, and to drive adoption inside Cisco and by our {industry} friends.

Further sources



We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart