The discovery of Log4Shell at the end of last December caused an uproar across industries as organizations rushed to reveal whether their devices stood alongside the hundreds of millions of people around the world who used the Java-based logging utility. , Log4j. Just weeks after the vulnerability was identified, the Federal Trade Commission (FTC) issued a warning to companies that all must apply patches or face legal action.

With the risk of legal action looming, the next logical step would be to apply the necessary fix. This would suffice in most scenarios, but Log4Shell presented a new set of challenges – it was extremely difficult for companies to determine where the fix was needed. The consequences of this vulnerability have left companies scrambling to determine if the flaw was present in their systems so they can work to identify the fastest and most effective course of action. Many organizations have turned to their trusted advisors (partners) for advice on solutions and services that could help them.

When large-scale security threats emerge, it’s a stark reminder to partners that malicious actors are always on the move, finding ways to cause massive damage to the business. Now, more than six months after the initial discovery of Log4Shell, there has been a change in the channel environment. Businesses are looking for security partners who help them stay protected against today’s inevitable business threats.

What does this mean for the channel and how can organizations ensure their security expectations are met? We’ll take a look.

Channel and software security

Software and application security (AppSec) has been at the forefront of discussions with partners in the wake of Log4Shell and attacks like SolarWinds with far-reaching impacts on the software supply chain as organizations are increasingly aware of the threats that exist in their digital environments. These types of vulnerabilities and attacks that affect businesses of all sizes, regardless of industry, are attracting attention in a way that is prompting organizations to re-examine their security profile.

These high-profile security threats have reminded organizations that – just like when a car engine is running, that doesn’t mean a mechanic won’t lift the hood to examine what’s underneath during a regular checkup. – they should also regularly review the intricacies of their security tools to ensure that everything is working properly. When organizations dive deeper, most find that they are largely unaware of what the software they run includes. This is another opportunity for partners to offer advice and solutions.

There is a disturbing disconnect between users and their software. Open source has become a fundamental component of software. In fact, 98% of Internet software and codebases are open source alongside 96% of enterprise software/software as a service (SaaS). Although open source is widely adopted in everyday enterprise software, 85% of codebases contain outdated open source code more than four years old and 88% use components that were not the latest version available . Those numbers should set off some alarm bells – there’s a lack of software maintenance indicating that most systems aren’t up to date.

These outdated systems put businesses at higher risk of successful exploitation by cybercriminals. Perhaps the most concerning part of outdated systems is the reality that most remain outdated due to the unfortunate fact that many don’t know what’s in their systems or that an updated version is available. Modern software requires unique monitoring that many are not used to or prepared to deal with.

Software and application security has become a critical part of ensuring business continuity, but even the most trusted vendors are not…