[this statement is available online at https://s.apache.org/485lz ]
“Responding to and Learning from the Log4Shell Vulnerability”
Opening Statement by David Nalley
President, Apache Software Foundation
Senate Committee on Homeland Security and Government Affairs
February 8, 2022
---
Chairman Peters, Ranking Member Portman, and distinguished members of the
Committee: thank you for the invitation to appear this morning.
My name is David Nalley, and I am the President of the Apache Software
Foundation (ASF). The ASF is a non-profit public-benefit charity established in
1999 to facilitate the development of open source software. Thanks to the
ingenuity and collaboration of our community of programmers, the ASF has grown
into one of the largest open source organizations in the world. Today, more
than 650,000 contributors around the world contribute to more than 350 ongoing
projects, comprising more than 237 million lines of code.
Open source is not simply a large component of the software industry -- it
is one of the foundations of the modern global economy. Whether they realize it
or not, most businesses, individuals, non-profits, or government agencies
depend on open source; it is an indispensable part of America’s digital
infrastructure.
Projects developed from open source, like Log4j, tend to resolve problems
that many people have, essentially serving as reusable building blocks for
solving those problems. This enables faster innovation because it eliminates
the need for every company or developer to reimplement software for already
solved problems. This efficiency allows programmers to stand on the shoulders
of giants. The ASF provides a vendor-neutral environment to enable interested
programmers – oftentimes direct competitors of one another – to do this common
work together in transparent, open-handed cooperation.
This is the essence of open-source software: brilliant individuals contributing
their time and expertise to do unglamorous work solving problems – many with
the intent of incorporating the results into their employer’s products. And
it’s why I’ve dedicated my professional life to it.
Log4j – first released by Apache in 2001 – is the product of just this kind
of collaboration. It performs a particular set of functions, like recording a
computer’s operating events, so well that it has been used in products as
diverse as storage management software, software development tools,
virtualization software and (most famously) the Minecraft video game. As
Log4j’s footprint grew over the years, so did its feature list. It was a 2013
addition to Log4j, along with a part of the Java programming environment, that
combined in such a way that exposed this security flaw.
The vulnerability was reported to Apache’s Log4j team late November 2021,
after having been latent for many years. The Apache Logging project, and
Apache’s Security team immediately got to work addressing the vulnerability in
the code. The full solution was released approximately two weeks later. Given
the near ubiquity of Log4j’s use, it may be months or even years before all
deployed instances of this vulnerability are eliminated. As a software
professional myself, I am proud of how the Logging project and the ASF’s
security team (and many others across the ASF’s projects) responded and
remediated last fall. We acted quickly and in accordance with practices we have
adopted over many years of supporting a diverse set of open source projects. We
will continue to develop our projects in responding to and preventing security
vulnerabilities.
Moreover, every stakeholder in the software industry – including its
largest customers, like the federal government – should be investing in
software supply chain security. While ideas like the Software Bills of
Materials won’t prevent vulnerabilities, they can mitigate the impact by
accelerating the identification of potentially vulnerable software. However,
the ability to quickly update to the most secure and up-to-date versions
remains a significant hurdle for the software industry.
The reality is that humans write software, and as a result there will
continue to be bugs, and despite best efforts some of those will include
security vulnerabilities. As we continue to become ever more connected and
digital, the number of vulnerabilities and potential consequences are likely to
grow. There is no easy software security solution - it requires defense in
depth – incorporating upstream development in open source projects, vendors
that incorporate these projects, developers that make use of the software in
custom applications, and even down to the organizations that deploy these
applications to provide services important to their users.
Rather than shying away from this risk, I submit that software developers,
open-source communities, and federal policymakers should face it head-on
together – with the determination and the vigilance it demands.
Thank you again, and I look forward to answering any questions you might
have.
# # #
NOTE: you are receiving this message because you are subscribed to the
announce@apache.org distribution list. To unsubscribe, send email from the
recipient account to announce-unsubscr...@apache.org with the word
"Unsubscribe" in the subject line.
