Open Source in Enterprise - despite Log4J
Without the rapidly growing number of open source software, neither SAP systems nor most modern companies would function today. Currently, the German Federal Office for Information Security (BSI) and the trade press - such as our E-3 magazine - are issuing a "red alert" warning about a serious security vulnerability in the widely used Log4J software. This gap is also critical because it not only allows hackers to penetrate company networks unnoticed, but also enables the installation of backdoors that are difficult (if not impossible) to detect and the installation of extensive malicious code in company systems. Even after a successful update of Log4J, this can then be used for criminal attacks much later and independently of this.
Even if this sounds like a theoretical risk to many, unfortunately many systems have already been attacked, successfully compromised and a great deal of damage done. Unlike SAP software, there are usually no automatic updates for open source software and no notes such as SAP Notes (SAP has created a special SAP Note for Log4J). To make matters worse, Log4J - like much open source software - is an integral and hidden part of many other components and solutions, making it difficult and costly to find.
It is important that the use of open source components in the company is regulated and monitored by a professional process. Special solutions, such as those from the Mannheim-based start-up VersionEye or Snyk from Israel, are available for this purpose. Both solutions not only know the current version of individual components, but can also monitor nested parts lists of open source components; in other words, they know where components have also been installed. In addition, these solutions provide other important information, such as quality (for example, update frequency or distribution), known security vulnerabilities and underlying license types. They can automatically warn developers when risks are identified or company standards are violated, such as when unapproved open source components are used.
As cyberattacks on companies and their value chains increase due to the ever more important, complex and constantly changing IT and SAP worlds, monitoring of the underlying infrastructure such as servers and networks is becoming increasingly important in addition to open source monitoring. Although this is even more complex than open source monitoring, it is still a good idea to start immediately and get a picture of the current risk situation in your own company. In addition to detailed information on the security situation, modern solutions such as LocateRisk from Darmstadt or the much older Security Scorecard from New York also provide a comparison with similar companies (peer group) so that you can measure where you currently stand in your own cyber security.
In addition, recommendations for fixing detected problems and improving one's own security situation are usually given. For example, LocateRisk offers a special service to detect and fix the current Log4J threat more quickly. It is important that the open source and infrastructure monitoring are as configuration-free and highly automated as possible, and that they can be integrated - if required - into already existing systems and dashboards.
Even though the current global supply chain disruptions were (mostly) not triggered by cyber security attacks but by the Covid 19 pandemic, among other things, this could change. Some corporations therefore already have their key suppliers monitored by cyber security monitoring solutions or require open source audits, such as SAP does for partners with solutions on the SAP price list.