All Day DevOps: Third of Log4j downloads still pull vulnerable version despite threat of supply chain attacks

Log4j and Equifax breaches showed that many organizations neglect outbound security measures, hence exposing themselves to ‘next-generation’ supply chain attacks, said AppSec engineer Sean Wright. Speaking at the All Day DevOps event, he added that the common practice of overlooking what’s going out opened doors for attacks leveraging typosquatting, malicious coding, package author account takeovers, and others. He recommended reaching out to security teams, using Google’s Open Source Insights and Dependancy Track, and purging private repos and local build systems.