VentureBeat: Why you need a software bill of materials

The recent Log4j vulnerability has exposed systemic problems in how businesses, and the community at large, audit their software.

Early indications show the Log4j vulnerability was being weaponized and exploited days before the news broke about its existence. Organizations needed to take action immediately to find all instances of the vulnerability in linked libraries, but most had no clear overview of where such instances existed in their systems. Google’s own research showed that more than 8% of all packages on Maven Central have a vulnerable version of Log4j in their dependencies, but of that group only a fifth declared it directly. This means that around 28,000 packages on Maven Central are affected by these bugs while never directly declaring or using Log4j. Read the rest on VentureBeat: https://venturebeat.com/business/why-your-organization-needs-a-software-bill-of-materials/