The wrong lessons to learn from the Log4j vulnerability

The wrong lessons to learn from the Log4j vulnerability

Dec 16, 2021

Log4j and Java sucks, but I don't use that, so I'm safe...right? Wrong. This video walks through the wrong lessons to take away from the huge Log4j remote code execution vulnerability, and points you at the lessons you should be learning instead. While the Log4j vulnerability may not directly affect you, its type of vulnerabilities certainly do.

CHAPTERS

00:00 Hook

00:10 Intro

00:35 Log4j vulnerability explained

01:58 1. It's Java's fault

02:51 2. Avoid popular libraries

04:05 3. Avoid 'enterprise' libraries

05:02 4. Backwards compatibility is bad

06:36 5. Write your own common libraries

08:18 Lessons to learn

08:31 1. Sanitize user inputs

09:09 2. Use popular libraries

09:29 3. Keep your libraries up to date

10:19 Outtro

LINKS
Log4j - https://logging.apache.org/log4j/2.x/
Log4j disclosure - https://cve.mitre.org/cgi-bin/cvename.cgi

SLEUTH
A deploy-based DORA / Accelerate Metrics tracker both managers and developers love.
Website - https://sleuth.io
Live Demo - https://app.sleuth.io/sleuth/sleuth/metrics/lead_time

Follow us on:
LinkedIn - https://www.linkedin.com/company/sleuth-io
Twitter - https://twitter.com/sleuth_io
Facebook - https://www.facebook.com/SleuthHQ
Twitch (Don streams MTTh, 3 PM MST) - https://twitch.com/mrdonbrown