The Department of Homeland Security has issued the Cyber Safety Review Board’s inaugural report on the Log4j vulnerability discovered in December 2021.
The CSRB worked with nearly 80 organizations, software developers and other professionals to collect insights on Log4j and come up with recommendations to prevent and respond to future cyber incidents, DHS said Thursday.
According to the report, the vulnerability “remains deeply embedded in systems” and that the government and industry should advance the development and deployment of capabilities, automated frameworks and other tools that would help developers build secure software.
The report offers 19 recommendations classified into four categories: continued vigilance in addressing Log4j vulnerabilities; adoption of industry-accepted standards and practices for vulnerability management and security hygiene; development of a better software ecosystem; and advancement of technological and cultural shifts in support of the country’s digital security.
To advance a better software ecosystem, recommendations include improving software bill of materials tooling and adoptability and increasing investments in open source software security.
“The CSRB is a remarkable public-private initiative that has produced an important blueprint for CISA – our nation’s civilian cyber defense agency – to meaningfully increase cybersecurity resilience and preparedness across our country,” said Jen Easterly, director for the Cybersecurity and Infrastructure Security Agency and a 2022 Wash100 Award winner.
“I look forward to implementing the CSRB’s impactful recommendations and thank the members for their time and thoughtful counsel,” added Easterly.