Post-Log4Shell: How Has the Channel Ecosystem Been Affected?

Tom Herrmann

The discovery of Log4Shell late last December unearthed an uproar throughout industries as organizations scrambled to unveil whether their devices were alongside the hundreds of millions worldwide that utilized the Java-based logging utility, Log4j. Just weeks following the identification of the vulnerability, the Federal Trade Commission (FTC) issued a warning for businesses that all must apply patches or face legal action.

With the risk of legal action looming, the logical next step would be to apply the necessary patch. This would be enough in most scenarios, but Log4Shell presented a new set of challenges – it was extremely difficult for businesses to determine where the patch was necessary. The aftermath of this vulnerability left businesses scrambling to establish if the flaw was present within their systems so they could work to identify the quickest and most efficient course of action. A lot of organizations turned to their trusted advisers (partners) for guidance on solutions and services that could help.

When large-scale security threats emerge, it’s a stark reminder for partners that bad actors are always on the move, finding ways to cause tremendous business damage. Now, more than six months following the initial Log4Shell discovery, there’s been a shift within the channel environment. Businesses are in pursuit of security partners that enable them to remain protected against today’s inevitable enterprise threats.

What does this mean for the channel and how can organizations ensure their security expectations are met? Let’s take a look.

The Channel and Software Security

Software and application security (AppSec) have been brought to the forefront of partner discussions following Log4Shell and attacks like SolarWinds with far-reaching software supply chain impacts as organizations have become increasingly aware of the threats that exist within their digital environments. These types of vulnerabilities and attacks that impact businesses of all sizes, regardless of their industry, garners attention in a way that influences companies to re-examine their security profile.

These wide-ranging security threats have reminded organizations that — much like when a car engine is working it doesn’t mean a mechanic won’t lift the hood to examine what’s underneath during a regular checkup — they must also routinely examine the intricacies of their security tools to ensure everything is operating properly. When organizations take a deeper dive, most realize they’re largely unaware of what comprises the software they’re running. This is another opportunity for partners to offer advice and solutions.

There’s a concerning disconnect between users and their software. Open source has become a foundational component of software. In fact, 98% of software and internet codebases contain open source alongside 96% of enterprise software/software-as-a-service (SaaS). Despite open source being widely adopted within enterprise software used daily, 85% of codebases contain open source more than four years out of date and 88% utilized components that weren’t the latest available version. These numbers should raise alarms — there’s a lack of software maintenance pointing to most systems not remaining up to date.

These outdated systems place enterprises at higher risk of successful exploitation by cybercriminals. Arguably the most concerning part of outdated systems is the reality that most remain out-of-date due to the unfortunate fact that many don’t know what’s within their systems or that an updated version is available. Modern software requires unique oversight that many aren’t accustomed to or prepared to handle.

Software and application security have become core components to enable business continuity, but even the most dependable vendors aren’t …