Unlocking the Full Potential of Post-Log4J Security: A Call for Developers to Push Beyond

Companies Need to Improve Software Supply Chain Security

A recent report by Snyk reveals that while many developers have adopted security testing as part of the development pipeline, there is still room for improvement in companies’ software supply chain security practices. The report highlights that only a minority of companies currently test software during development or prior to committing code. While two-thirds of companies have security tools incorporated into their software build systems, only 40% have deployed security checks into the integrated development environment (IDE), and 48% have implemented them as part of the code committing stage.

The report further indicates that 40% of companies do not use any supply chain technologies, such as static analysis security tools (SAST) or software composition analysis (SCA) tools. This lack of investment in supply chain technologies puts companies at risk of potential vulnerabilities and exploits. Randall Degges, head of developer relations at Snyk, emphasizes that every developer should be conducting at least three types of scans: scanning custom code with SAST, checking open-source dependencies with an SCA tool, and analyzing infrastructure files to detect insecure configuration.

Increasing Attention to Software Security

On a positive note, the Snyk report also indicates that more companies are paying attention to software security, especially after the widespread vulnerabilities in the Log4J library impacted numerous firms. In the 18 months since the Log4Shell and other exploits were released by attackers, the vast majority of companies (94%) have made significant changes to their approach to application security.

According to survey respondents, nearly two-thirds of companies increased the frequency of scanning, while more than half adopted new security tools (59%) and put developers through additional security training (53%). The impact of the vulnerability and the subsequent scramble to address security holes is compared by Degges to Edward Snowden’s release of classified documents, as it has become a major driver of software security actions.

Pros and Cons of AI Tools

The Snyk report also reveals that developers are increasingly using AI assistants to speed up their code production, and they expect to continue using AI in development in the future. However, there are mixed sentiments among developers regarding the security implications of AI-generated code. While 77% of developers believe that they produce better and more secure code using AI tools, 59% still have concerns over potential vulnerabilities in their code.

Randall Degges warns that although developers may be able to build code faster with the help of AI tools, relying too heavily on these tools can result in less secure code. He emphasizes the importance of developers having a solid understanding of what they are doing when using AI-generated code and assuming that all generated code is unsafe by default.

Monitoring and Mitigating Risks in the Open Source Community

The Snyk report highlights an interesting trend in software vulnerability fixing. For the first time, developers are fixing vulnerabilities in open source software faster than in custom components. The time to fix (TTF) for proprietary software increased slightly in 2022, while the TTF for open source software continued to decline.

This trend suggests that the open source ecosystem is improving its security response over time, and it is moving towards providing better security than the closed-source world. In fact, the TTF for critical- and high-severity open source vulnerabilities decreased by about half in 2022, marking the third consecutive year of decline.

Randall Degges attributes this improvement in the open source community to increased awareness among open source maintainers about security issues, especially those related to supply chain security. Overall, there has been significant progress in the open source community’s approach to security in the past year.

Conclusion: Strengthening Software Supply Chain Security

The Snyk report highlights the need for companies to prioritize and improve software supply chain security. Incorporating security checks into the development pipeline, deploying security tools within the integrated development environment, and utilizing supply chain technologies such as SAST and SCA tools are crucial steps for ensuring secure software development.

While companies are paying more attention to software security, spurred by high-profile vulnerabilities like Log4J, there is still work to be done. Increasing the frequency of scanning, adopting new security tools, and providing additional security training for developers are critical measures to mitigate risks.

As AI tools become more prevalent in development processes, developers must exercise caution and maintain a solid understanding of the code generated by these tools. Trusting AI tools blindly can lead to potential security vulnerabilities. Developers should assume that all AI-generated code is unsafe by default and take necessary precautions to secure their code.

Furthermore, the open source community has made impressive progress in improving security response and fixing vulnerabilities in a timely manner. Maintainers’ increased awareness of security issues and the emphasis on supply chain security have contributed to this positive trend.

In conclusion, companies must continue to invest in software supply chain security, adopt best practices, and stay vigilant in an ever-evolving threat landscape. By doing so, they can protect their software systems from potential vulnerabilities and ensure the integrity and security of their code.

Disclaimer: The views and opinions expressed in this report are those of the writer “” and do not necessarily reflect the official policy or position of The New York Times.