AudiencePoint does not use Log4J
So let’s get right to the point. In the event you are worried or concerned, AudiencePoint does not and has not ever used Log4J. For that reason we are clear of attack.
Managed vs. Unmanaged
Log4J is unmanaged code. It is an open source tool that is part of the Apache Software Foundation which means that all of the code is made public and anyone can push changes to the source code. Just because someone pushes a change doesn’t mean that the change will be accepted and becomes part of the product. However, the change, once accepted, becomes more mature and part of the core code. More code increases the difficulty of identifying and eliminating rogue codes.
Code produced by the creator of the compiler is called managed code. Managed code undergoes extreme scrutiny and has a closed system in terms of contributors. Additionally, managed codes give companies and programmers a target for legal responsibility.
Managed code is not inherently safe, nor is unmanaged code inherently unsafe, but they certainly trend in those directions. This does not mean that engineers should never use open source or unmanaged code, but it means that you need to be very careful with what you are doing and what you are not.
AudiencePoint uses both managed and unmanaged code. However, as a policy, any code that has access to personally identifiable information would only be using managed code. This policy builds a wall around critical information. If a vulnerability were to be introduced into the system, the impact would be contained by this approach.
Secure Coding Standards
AudiencePoint has instituted the secure coding standards outlined by OWASP. These standards in concert with our corporate policy adds additional layers of protection for customer data.
Pseudonymization of Sensitive Data
AudiencePoint has been very careful about what fields are stored to limit the potential impact of a breach. If the fields are sensitive, then every level of pseudonymization is applied to protect the shared data. Pseudonymization in the data world is just a fancy way to say that data management and de-identification procedures have been implemented so that personally identifiable information is replaced by one or more artificial identifiers, or pseudonyms.
Customer Notification
Additionally, if a data breach were to take place, AudiencePoint would immediately contact every customer of that breach and make them aware of the event and the data that was impacted.
Conclusion
With the Log4J issue currently in the news, it has catapulted data security back to the center stage of discussion. Data security requires constant attention, proper planning and awareness of emerging threats. While AudiencePoint is not immune from attack, the combination of policies, planning, and diligence creates an environment where customer data is safer and risk is greatly reduced.