Along with a host of frenzied updates and patches, Log4Shell brought something else to the table: an intense renewed scrutiny among business leaders and governments around “open source.” What most of these critics are not aware of is that much of the software powering their success isn’t created by commercial vendors, but is created by volunteers and that some of their most critical systems use open-source software. Furthermore, most critics can’t confidently point to a list of all the open-source software powering their own success.
Similar to the response we’ve seen to major incidents like HeartBleed, Dirty Cow, and the Equifax experience with Apache Struts, governmental reviews are underway, and some are seeking to replace the “bad open-source component” – in this case, log4j – with a “more secure alternative.” But there is an important aspect of open source in modern society that is being overlooked in these scenarios – it’s highly trusted.
You’ve heard of the supply chain, but what about the software supply chain?