The recent Log4j turmoil has revealed severe problems and structural difficulties in the way we develop and market software. Very frequently, some open source software components, like the Log4j library, are built into larger software products and may even become integral – but highly invisible – parts of critical applications. People hope that Linus’s law that “given enough eyeballs, all bugs are shallow” applies, whereas in reality it does not – at least not in absolute terms. In fact, I would argue that all (non-trivial) software components comprise bugs, and there is hardly anything that can be done about it. In particular, this fact is independent from the economic model of software development; it equally applies to open source and proprietary software. Its openness does not magically make software more secure. The “many eyeballs” that may find bugs do not necessarily focus on bug-finding processes. Instead, these processes tend not to be on the top priority lists of software developers. They rather prefer to spend their time on more interesting and challenging tasks, like implementing new features and functions. This means that some (subtle) bugs still prevail, and that Log4j yields no exception here.
The most obvious lesson learnt from Log4j is that every software component is important from a security perspective. You cannot build secure software on top of insecure components. If a component is built into a product, then it is important that this component is equally secure than the other components. Otherwise, it will become the weak link that breaks the entire system. Another – maybe less obvious – lesson is that it is not primarily about creating software; rather, it is about maintaining and steadily improving it. This must be a professional activity that needs to be funded in some way. This is well understood in companies that develop and sell proprietary software; it is less well understood in other circles. In lack of funding, open source software will suffer the tragedy of the commons and not be maintained and improved professionally. This means that old bugs (or features) will yet be shallow but still hit us badly. The Log4j story will be continued soon (starring another software component); stay tuned.