HCLSoftware on the Frontlines to Combat the Log4j Vulnerability


As a provider of application software security scanning, vulnerability detection and enterprise-wide remediation, HCLSoftware is helping its customers protect against Log4j-based threats.


PUBLISHED DATE: December 15, 2021


Since the Log4j vulnerability became headline news late last week, the HCLSoftware support team has fielded hundreds of communications from customers concerned about their risk from the latest security breach. As a provider of both application software security scanning, vulnerability detection and enterprise-wide remediation, HCLSoftware has been thrust onto the frontlines to combat Log4j-based threats.

“Log4j is bad. The level of risks here is extreme,” said Kristin Hazelwood, Vice President and General Manager of HCL BigFix. “Don't think this is going to go away any time soon. We're just starting to get a glimpse of what is being tried out there in the wild. Products like HCL AppScan and HCL BigFix are essential tools in dealing with this crisis.”

Together, HCL BigFix and HCL AppScan work to find and fix the Log4j vulnerability in source code or any running products in the customer’s environment on any device, be it desktop, laptop server, virtual machine, or cloud endpoints. HCL AppScan can help developers scan for log4j using the Open-Source analysis (OSA) capability in its cloud-based application security testing solution. AppScan on Cloud (ASoC) offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. HCL BigFix plays a critical role in enterprise’s ability to automatically find vulnerable systems, harden them from attack and in the event of an attack, remediate systems back into production.

Enterprises and developers that do not have vulnerability management or application security solutions have a lot of work ahead of them. The first step in defending against Log4j is to find Log4j wherever it exists.

“Investigate every internet facing application, website, and system that you own or use. This includes self-hosted installs of vendor products and cloud-based services,” said Hazelwood. “Focus on systems that are internet-facing that contain sensitive data. Once you’ve completed assessing your hosted apps and vendor systems, move on to endpoint applications. Java-based apps like WebEx, Citrix, and hundreds more that have been identified.”

The next step is patching. Patching should be done in the same order to the installs, products and services mentioned by Hazelwood above. If no patch is yet available, look for mitigation techniques. If those don’t exist, vulnerable applications should be uninstalled.

The pandemic has forced many endpoints into working-from-home environments, which creates extra challenges for keeping all endpoints patched and compliant. Operations teams can’t rely on work-from-home employees to patch their own systems, even with clear instructions. This is where IT Operations is essential to beating Log4j-based attacks.

“While there are many vulnerabilities that senior leaders do not need to know about, Log4j is not one of them,” said Hazelwood. Senior leaders need to position their IT Operations teams among their most vital employees and adopt systems that enforce continuous compliance.”

For a free demonstration of HCL AppScan’s Open-Source Analysis tool and suite of security testing tools, including SAST, DAST and IAST, for web and open-source applications, please contact us here. For more information about HCL BigFix, please visit this page.

About HCLSoftware

HCLSoftware, a division of HCL Technologies (HCL) develops, markets, sells and supports over 30 product families in the areas of Customer Experience, Digital Solutions, DevSecOps, and Security and Automation. HCLSoftware is the cloud-native solution factory for enterprise software and powers millions of apps at more than 20,000 organizations, including over half of the Fortune 1000 and Global 2000 companies. HCLSoftware's mission is to drive ultimate customer success with its IT investments through relentless product innovation.

Media Contact

Jeremy McNeive