Senate Homeland Security Committee leaders Gary Peters (D-Michigan) and Rob Portman (R-Ohio) have introduced a bill requiring a risk framework for open-source code. The proposed legislation would require the Cybersecurity and Infrastructure Security Agency to develop the risk evaluation process for open-source software being used by federal agencies and critical infrastructure. The move follows the discovery in December of a vulnerability in the Apache Software Foundation’s popular Log4j Java logging utility. Peters said the Log4j incident presented a serious threat to banks, hospitals, and utility companies, among other national security operations. Continue reading Senate Group Wants CISA to Protect Open-Source Software

The Log4j code vulnerability has the media declaring the Internet in a state of crisis. Log4j is a Java-based logging framework developers use to track user activity within applications on the popular Apache web server. Security experts are rushing to patch the bug, which is being exploited to remotely assume control of vulnerable systems, stealing credentials, installing malware and launching other attacks that permeate consumer devices. Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued a Log4j alert, as did Australia’s CERT emergency response team. Continue reading Major Security Vulnerability Triggers Worldwide Internet Crisis

Equifax’s two cyber breaches, which exposed about 143 million Americans’ personal information, were the work of hackers who took advantage of a flaw in Apache Struts software. The nonprofit Apache Software Foundation and the U.S. Computer Emergency Readiness Team warned of the bug in early March, but Equifax only alerted its end users on September 7, almost five months later. IT experts say the event highlights the challenges in keeping software current and identifying all potentially vulnerable applications. Continue reading Equifax Breaches Spur Businesses to Prioritize Cybersecurity