Apache Software Foundation president David Nalley told a Senate hearing Tuesday that the Log4j vulnerability emerged from the complex interaction of multiple systems combined with Java code dating back to the 1990s. ("Java Logo" by mrjoro is licensed under CC BY-NC 2.0)

Apache Software Foundation president David Nalley told a Senate hearing Tuesday that "none of the automated tools on the market today" would have caught the Log4j vulnerability prepublication or even very recently.

Nalley testified before the Senate Homeland Security and Government Affairs Committee in its second hearing about the Log4j bug, following an earlier hearing with Cybersecurity and Infrastructure Security Agency Director Jen Easterly.

The vulnerability in one of Java's most popular packages stems from code written for the Apache-overseen project in 2013. Nalley said that bug was resilient to automated tools and seven years of contributors auditing the code, because the problem came from the complex interaction of multiple systems combined with Java code dating back to the 1990s.

"I'm not sure how we get around that without good understanding of those systems and good thinking of potential malicious uses," he said.

Lawmakers, though clearly concerned with the wide reach of open source software vulnerabilities, recognized it was a critical part of the software ecosystem.

"Open source software is inextricably woven into every bit of software we use every day. The answer to the problem is not to stop using it," said Sen. Rob Portman, R-Ohio.

Instead, questions from Sen. Alex Padilla, D-Calif., focused on issues like the "free-rider" problem, where users take advantage of open-source software without contributing to its development.

Nalley said that Apache viewed its mission as creating free software that was widely used, and did not have an interest to compel any users to support the project that did not choose to do so. But, he said, instances like Log4j encourage participation. Fellow witness Brad Arkin, senior vice president and chief security and trust officer for Cisco, added that users with resources are likely to participate out of self-interest to guide projects in directions that benefit them.

Trey Herr, director of the Atlantic Council think tank's Cyber Statecraft Initiative, noted the biggest freeloaders were the closest to the hearing.

"There is more that industry can do," he said. "But as it stands at the moment, industry efforts already vastly outstrip federal support for this infrastructure."