OnDemand | Third Party Risk: Lessons on Log4j
Studying software engineering practices from 100,000 production applications and 4,000,000 open source component migrations, Sonatype uncovered eye-opening behaviors in modern software development, including a surprising trend that nearly 70% of dependency management decisions are suboptimal.
Understanding these migration paths, helps make sense of part of the panic that ensued when a zero-day vulnerability was disclosed in the world’s most widely adopted logging framework, Log4j. If you weren't automating software supply management and weren't paying attention to your dependencies, you were left incredibly vulnerable.
Along with studying production applications, as the stewards of Maven Central, Sonatype teams have monitored download data, ensuring the world has reliable information on the latest Log4shell trends.
In this talk, we will share insights from 2021 software supply chain research along with lessons learned from Log4j to break down how to change your software supply management practices for a more secure SDLC.