What Log4j Teaches Us About Software Maintenance

The National Cyber Security Centre in the UK recently provided information on the "Log4j Vulnerability" that has subsequently caused System Administrators to lose sleep and planned holidays.

A vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes the Log4shell vulnerability potentially the most severe in years.

Almost all software has some form of ability to log (usually for development and security purposes), and Log4j is a very common component used for this in Java applications.

As developers of bespoke software, oftentimes we use third-party, open-source libraries to enable us to develop applications more quickly and provide industry-standard functionality without the cost and time of developing everything from scratch. This does however mean there is a risk that if when a security vulnerability is identified in one of these libraries, it can also make insecure the software that uses it.

When we have completed a bespoke software development project for a client, we sometimes get asked questions along the lines of: "Why do we need maintenance, isn’t it finished?" and "Can we just fix the issues if they arise?"

Let’s analyse these misconceptions in a little more detail:

1. Most software, or arguably all cloud-based software is never technically "finished". Even if we assume there’s no requirement for new functionality, software requires maintenance just to maintain the current level of functionality.
2. The hardware, technologies, and libraries that software uses often change multiple times per year. Any 'breaking changes' in these components need to be proactively managed.
3. All software becomes obsolete, eventually, unless it is actively maintained.
4. Whilst it is technically possible to only fix issues as they arise, without proactive maintenance there is a very real problem that low and medium-risk vulnerabilities get missed.
5. Fixing major issues only when they arise actually takes longer and costs more than regularly fixing minor issues – the longer the gap between maintenance periods, the less familiar we will be with your codebase, and refamiliarization takes time – that’s wasted time that could have been used to fix actual issues.
6. It’s impossible for us to plan for the unknown, so there's no guarantee we will have the necessary resources available to fix the issues in software that isn’t routinely maintained.

That’s why SIGMA Technology offer monthly maintenance agreements from five days per month (one 'Development Cycle') with terms from 12-36 months. This enables us to actively maintain your software, and plan far enough in advance that we’re able to attract the best talent to work on your project whilst maintaining our competitive prices.

Please check out our Software Maintenance options for more information.

15 December 2021