LOG4SHELL BY THE NUMBERS

From contrastsecurity.com

We monitor many thousands of applications with Contrast Assess (IAST), Contrast SCA, and Contrast Protect (RASP) so we have a unique data set compared to others and, so far, we have some really interesting takeaways. Of course, our data, like any data, is skewed to who and what we measure. This data mostly reflects the state of web applications that they know about being run by enterprises with a security program. 

FIRST — WHAT LIBRARY DO DEVELOPERS CHOOSE TO LOG WITH?

Here’s the data:

  • 64% package log4j2
  • 26% package log4j1
  • 47% package logback
  • 20% of applications use a logger built into the JVM or have no proper logging library

Readers with an elementary school education will immediately notice those numbers add up to more than 100%. It was not surprising to us that 30% of applications use more than 1 logging library. This mostly happens because many of your dependencies have their own logging calls, and so they end up transitively causing you to bring in their logging dependency. 

To that end, it’s not surprising in our data to see applications that offer log4j2, log4j1, and logback. Many applications have hundreds of dependencies. A study from York University who tried to measure the state of logging showed that Hadoop packages 6 logging utilities and IntelliJ packages 12. It’s crazy out there in the real world.

(If you’re wondering where slf4j is — slf4j is a wrapper with convenience methods that must be backed by a library that does the actual physical writing to logs — and those “real” loggers are the ones we’re measuring.)

Read more…