Skip to content

It's times like these you learn to live again

Andrew Robinson Dec 14, 2021

Let out a good SBOM and carry on...

...Or just may be we'll learn to love a good SBOM! An SBOM is not what you think it is -- it is *not* the reaction your CEO or CISO exclaimed when they heard about the latest zero-day -- log4shell -- vulnerability with the potential to pwn your business. 

A software bill of materials (SBOM) is a list of software components. And by now we should all be aware that all good software programs are built on smaller component parts. And just sometimes these smaller components have major vulnerabilities.

Despite a renewed focus on "shift left" in security from infrastructure operations to secure coding practices (which really should have always been the case), vulnerabilities happen and so SBOM requirements are a fairly new mechanism to help (thank Biden).

A good SBOM would let you know if your application includes log4j and an even better one will include version information so you can know if you're vulnerable or not.

 

6clicks' Initial Response to Log4shell

Partners and customers have been quick to ask us if we're vulnerable and following an initial review of our environment, we can confirm the 6clicks app is not impacted. 

First, we reviewed the Microsoft Azure services upon which the core 6clicks app is hosted by reading open source information published by Microsoft and subsequently discussed with Microsoft in a call with our account manager. It seems the Microsoft Azure services 6clicks depends upon were not using the vulnerable log4j library.

Secondly, we reviewed other components that do not host customer information. There were two such components for which we took further action both of which have now been configured in accordance with vendor guidance to mitigate exploitation (aka a virtual patch was applied), and we’ll actually patch when patches become available.

Our review has included contacting relevant vendors in a similar way to our partners and customers. We were able to do this because we understand (at least our critical) components and suppliers. Although a digital SBOM (perhaps the only way an SBOM should be prepared and maintained) certainly would have made it easier and faster.

 

It Never Ends But We Can Learn

We are using a collection of security tools to continue to block and monitor this and other attack behaviours.  It is also been a good reminder to keep up the focus on "shift left" and take those SBOM requirements seriously as they get introduced into the standards we apply and the agreements we enter into. They will help.

 

We're never far away!

If you're a partner, customer, or legitimate security researcher wanting to receive or share any further information, please don’t hesitate to contact security@6clicks.com.

Leave a Comment

Register for webinars, watch replays and download our ebooks

eBooks & Guides

Webinars

Our blog and 6clicks TV

Latest articles and interviews with our partners and thought leaders

 

Our blog

6clicks TV

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


CEO | VAR & MSP

"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"


CEO | Startup

6clicks Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC

 

Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial
intelligence

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?