When examining the composition of the E-GENE solution, it is similar to other web software products in that it combines various server libraries, front-end libraries for UI support, and other functional components into a single product. On this foundation, web source code, JavaScript, and databases work together to create a complete solution for end users.

During development, the product undergoes extensive testing to ensure stability, and continuous updates are performed to address common security risks by analyzing vulnerabilities and implementing countermeasures.

However, one persistent issue is security vulnerabilities, which attackers exploit to cause significant damage.

This article discusses two major categories of security issues and also addresses the recent Log4j vulnerability.

Two Main Categories of Security Issues

- Security issues arising from dependent libraries

- Security issues that can occur during development

A prime example of the first category is the Log4j vulnerability. Log4j, managed by the Apache Software Foundation, is widely trusted and used in many libraries, including the Spring Framework, making it one of the most highly dependent libraries.

[Figure 1: Log4j Dependency Graph]

According to Google’s Open Source Insights team (James Wetter, Nicky Ringland), 35,863 Java artifacts available on Maven Central depend on Log4j code, and over 80% of vulnerabilities occur in dependent artifacts.

(Source: https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html)

When the Log4j vulnerability was disclosed, Java-based web service systems scrambled to analyze whether they used the affected library and assess the impact, mobilizing all available resources. Solution providers were also in crisis mode. While products could be patched quickly, SI-built sites often faced difficulties in identifying and fixing the issue.

Moreover, attacks exploiting the vulnerability surge immediately before and after disclosure, making rapid response critical. As shown in [Figure 2: Log4j News Search], the topic became a global hot issue.

[Figure 2: Log4j News Search]

Our E-GENE customers also raised numerous inquiries about Log4j’s impact. Fortunately, E-GENE manages software versions and library environments, enabling quick vulnerability analysis and response. When the Log4j issue arose, we promptly assessed its impact and implemented countermeasures.

Security Issues During Development

These occur when source code errors are exploited maliciously. Common examples include:

- SQL Injection: Attackers execute malicious SQL commands by exploiting input validation flaws.

- XSS (Cross-Site Scripting): Unvalidated strings are executed by other users, leading to data theft or malware infection.

To prevent such issues, STEG conducts regular internal vulnerability checks, performs simulated hacking on project sites, and applies security patches for discovered vulnerabilities. We also share findings with clients to ensure these issues do not occur in their environments, following internal processes to maintain product stability.

However, unintended vulnerabilities can arise during feature additions or new functionality implementation. Continuous awareness, knowledge sharing, and training during development are essential.

New vulnerabilities and attack methods emerge daily, but through these ongoing efforts, we believe we can build safer products.

Deputy General Manager Park Jeong-Woo, R&D Division, STEG Inc. 

Related Information:

- Understanding the Impact of Apache Log4j Vulnerability

- Apache Log4j Security Vulnerabilities

- Apache Log4j Core Repository

- https://www.boho.or.kr