Real-time Estimate Cboe BZX  -  05/23 10:47:05 am EDT
49.46 USD   +0.68%
05/19GLOBAL ACCESSIBILITY AWARENESS DAY 2022 : Forrester Partners With Work Without Limits To Increase Employment Opportunities For Job Candidates With Disabilities
05/17NextPoint Financial Appoints Jean Birch New Chair of the Board
05/16FORRESTER RESEARCH, INC. : Entry into a Material Definitive Agreement, Change in Directors or Principal Officers, Financial Statements and Exhibits (form 8-K)
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector news

Forrester: Attackers Will Likely Exploit The Log4j Vulnerability For Months To Come

12/16/2021 | 11:59am EDT

A vulnerability in Log4j, a popular software tool used by a majority of the internet, is giving attackers the ability to run their own code on whichever system they are targeting. While we have yet to see the full detrimental effects of this vulnerability, it is likely attackers will exploit it for years to come, with attacks presenting themselves in the form of ransomware or other types of cyberattacks.

Additionally, millions of applications use Log4j. As such, if one piece of software used by many applications has a vulnerability, then all applications using that software are at risk. Given the global impact of Log4j, many applications we use on a regular basis are affected, including iCloud, Minecraft, and Cloudflare.

In response to this, Forrester analysts outline the dangers of the Log4j vulnerability and steps security teams should take to protect themselves from attackers as a result.

Forrester VP and Principal Analyst Jeff Pollard:

"For CISOs, Log4j hits the products and services the company uses, builds, and sells. When anything touches those aspects of a company at once, the board will ask questions. Don't wait for them to come to you and react. Instead equip them with the information they need proactively. That includes a primer on why Log4j matters including:

  1. How widespread it is.
  2. Actions taken so far.
  3. Actions underway.
  4. Planned actions.
  5. Any obstacles you foresee and what is needed to address them.

"Provide context to the board on these items in three ways: The status of your company; the status of your customers; and the status of your partners. This demonstrates how your approach to security incorporates the ecosystem in which your company operates and prioritizes potential impact to the business overall, not just impact on the security program."

Forrester Analyst Allie Mellen:

"This vulnerability is so dangerous because of its massive scale; millions of applications use Log4j. Applications on the Internet are a complex system of interconnectedness, which makes it difficult to know what applications might be affected, even your own. Even if your software doesn't use Log4j directly, you may use someone else's software that does and not know it.

"This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot. Patch any home-grown software that uses Log4j and coordinate with all vendors to make sure they aren't affected or get patched in a timely manner. Give your security operations center (SOC) the situational awareness it needs to know which applications and assets are affected so it can respond to every single alert that comes in from one of those systems.

"So far, we have seen this vulnerability exploited by attackers looking to deploy cryptominers or set up botnets. This is just the tip of the iceberg - you can be sure attackers are building more complex attack chains to exploit this vulnerability further with attacks like ransomware and information stealers.

"There's a ton for security teams to do and it's all cross-functional. To respond to this vulnerability, we recommend security teams divide and conquer in three buckets: prevention and detection, vendor risk management, and communication:

  • Engage IT and DevOps to identify all home-grown applications affected by this vulnerability and build a plan to patch those systems.
  • Engage IT and your business applications team to reach out to vendors to find out if they were affected by this vulnerability, and if so, what their patching schedule looks like. IT and security must work together to develop their own patching and testing schedule to make sure any updates don't affect business continuity.
  • Communicate to any customers the status of any externally facing applications to ensure they know what systems might be affected and which aren't. Communicate your strategy to your organization and to the board. Communication from the CISO directly is critical to engage the rest of the organization and continue to build leadership."

Forrester Senior Analyst Alla Valente:

"More details are sure to emerge in the coming weeks but from what we know now one thing is clear: risk management of open-source software has not kept pace with the open-source usage boom among public and private sectors. Without a risk management strategy, firms don't have the budget or the resources they need, and, in hindsight, that they should have to effectively deal with Log4j."

Forrester Principal Analyst Sandy Carielli:

"From a DevSecOps standpoint, limiting risk from Log4j and future vulnerabilities means knowing what is in your software and having the automation in place to easily upgrade. To understand and control what software you have in your products, you need to integrate your development pipeline with tooling that: Reports on vulnerable libraries in your software; provides guidance on how to remediate these issues; and sets policies to block and alert when you try to add vulnerable or high-risk libraries to your project.

"In the case of Log4J, a well-integrated software composition analysis (SCA) tool should find all vulnerable instances of Log4j, prioritize them based on how your product calls the component, recommend the upgrade to the fixed version, provide the automation to make that upgrade as seamless as possible - and do all of that in the developer's native environment. Many SCA solutions are extending into broader supply chain issues recommending upgrades when components are stale, out of date, or poorly maintained.

"On the protection front, web application firewall (WAF) vendors are rapidly pushing out new rules to help detect and block attempted Log4j exploits. Accept and activate these new rules quickly - automatically if possible. If you have deployed Runtime Application Self Protection (RASP) on any of your applications, understand how that solution may already be detecting and blocking code execution."

Further information can be found here (One, Two) for reference.

To arrange an interview with any of these Forrester analysts, please reach out to


Forrester Research Inc. published this content on 16 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 16 December 2021 16:58:01 UTC.

© Publicnow 2021
05/19GLOBAL ACCESSIBILITY AWARENESS DAY 2 : Forrester Partners With Work Without Limits To Incr..
05/17NextPoint Financial Appoints Jean Birch New Chair of the Board
05/16FORRESTER RESEARCH, INC. : Entry into a Material Definitive Agreement, Change in Directors..
05/12INSIDER SELL : Forrester Research
05/11FORRESTER RESEARCH, INC. : Submission of Matters to a Vote of Security Holders (form 8-K)
05/05FORRESTER RESEARCH : Q1 Earnings Snapshot
05/05TRANSCRIPT : Forrester Research, Inc., Q1 2022 Earnings Call, May 05, 2022
05/05Earnings Flash (FORR) FORRESTER Posts Q1 EPS $0.45
05/05Earnings Flash (FORR) FORRESTER Reports Q1 Revenue $125M
More news
Analyst Recommendations on FORRESTER RESEARCH, INC.
More recommendations
Financials (USD)
Sales 2022 556 M - -
Net income 2022 25,5 M - -
Net cash 2022 96,3 M - -
P/E ratio 2022 37,1x
Yield 2022 -
Capitalization 927 M 927 M -
EV / Sales 2022 1,49x
EV / Sales 2023 1,33x
Nbr of Employees 1 870
Free-Float 47,2%
Duration : Period :
Forrester Research, Inc. Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends FORRESTER RESEARCH, INC.
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus OUTPERFORM
Number of Analysts 3
Last Close Price 49,12 $
Average target price 67,50 $
Spread / Average Target 37,4%
EPS Revisions
Managers and Directors
George F. Colony Chairman & Chief Executive Officer
Chris Finn Chief Financial Officer
Steven P. Peltzman Chief Business Technology Officer
Mike Kasparian Vice President-Information Technology
Sharyn Leaver Chief Research Officer
Sector and Competitors
1st jan.Capi. (M$)
YOUGOV PLC-34.38%1 453
MACROMILL, INC.-8.85%312