Skip to content

December 8, 2022

Resources for Preparing for and Responding to Novel Security Vulnerabilities

By IT Revolution

December 10, 2021. For many, this date brings back nightmares, cold sweats, and panic. On this day, CVE-2021-44228 was issued. A novel security vulnerability was discovered in Log4J, a logging library used in Java development since 2001. It was discovered that Log4J could be provoked into loading code from an attacker’s host. And as Log4J was widely used in on-premises software, software as a service (SaaS), and internally developed applications, the vulnerability was sure to reach far and wide.

Over the next several days, Log4J (sometimes also referred to as Log4Shell) dominated technologists’ social media feeds, disrupted vacations and holiday joy, and was possibly the wake-up call many organizations needed. 

As Randy Shoup et al, describe in their paper Responding to novel Security Vulnerabilities, “Vulnerable versions of Log4j were in organizations’ applications’ direct dependencies and in their transitive dependencies. It was embedded in vendor products, including monitoring, visualization, and security tools. Mitigating this vulnerability required companies to change application configurations in anything Java-based. Remediating it required dependency updates, testing and deployment cycles, and redeployment of vendor software.”

The size and scope of this vulnerability highlighted for many organizations that they were still ill-prepared to respond to attacks of this nature. Despite increasing investment in IT security for known vulnerabilities, companies still face the mounting challenge of how to address novel vulnerabilities. How do we prepare for the unknown? 

In the aftermath of Log4J, some organizations responded quickly and with relative ease, while others lost days before even beginning their response. As the anniversary of Log4J looms, we wanted to pull together resources that show what this community has learned and how we can better prepare for a future of unknowns.

Responding to Novel Security Vulnerabilities

At the 2022 DevOps Enterprise Forum, a summit of thought leaders from technology and business, Log4J was still top of mind. Log4J made clear that organizations naturally create defenses against vulnerabilities they have experienced in the past (known vulnerabilities). But as the last several years have shown, and Log4J shined a particular spotlight on, new classes of vulnerabilities are continuing to be discovered, including

  • CPU cache and branch prediction side-channel attacks
  • Supply-chain compromise by attackers
  • components modified by their authors with political motivations
  • widely used packages subverted by new maintainers or naive additions

These “novel” security vulnerabilities challenge organizations in several ways. First, the full scope and impact of a novel vulnerability may not be clear and/or difficult to determine. Second, novel vulnerabilities can require large-scale redeployment of infrastructure and application software. And third, the scale of attacks from novel vulnerabilities can hugely impact customers, making the response from the organization critically urgent. 

In the paper Responding to Novel Security Vulnerabilities, authors Randy Shoup, Tapabrata Pal, Michael Nygard, Chris Hill, and Dominica DeGrandis provide leaders with examples and patterns to help create the adaptive capacity needed to prepare for, respond to, and learn from novel security threats. It also provides three clear examples of good, okay, and worst responses to Log4J.

Read the full paper here.

Capabilities for Building High-Performing Technology Teams

In 2022, it’s more clear than ever that technology drives value and innovation in every organization, no matter the industry. And with that power and influence, there is more pressure from attackers. How can an organization position itself to respond effectively to these threats?

In this presentation from this week’s DevOps Enterprise Summit-Virtual, Nathen Harvey (Cloud Developer Advocate, Google) and Amanda Lewis (Developer Advocate, Google), used the Log4J experience to shed light on how to transform into a high-performing technology team. 

In the first half of the presentation, Harvey and Lewis present a fictionalized story of one company’s response to Log4J. Then, they show how findings from the latest DevOps Research and Assessment (DORA) team can help organizations build high-performing teams that are equipped to adapt to and deal with novel vulnerabilities.

Watch their full presentation here.

Automated Governance at Investments Unlimited

One big step toward fortifying your organization against both known and unknown threats is to bake security and governance into your software development. We have all known for years that waiting until the end of production to review and test software for security vulnerabilities is fraught with issues. The call to “shift left” on security and audit compliance has been heard by many, but few have effectively achieved it.

In the latest novel from IT Revolution, Investments Unlimited, a team of practitioners and thought leaders show how organizations can use automated governance to effectively “shift left” on security, audit, and more. All the while making the lives of developers and operations happier. 

Log4J was a huge influence on the authors, who were in the middle of writing the manuscript for the book when the vulnerability hit. Their shared experiences of dealing with this and many other security vulnerabilities are all present in the novel.

Learn more about the book and start reading an excerpt here.

SBOMs, Software Supply Chains, and More

Log4J and other novel security vulnerabilities have helped push to the forefront several topics like SBOM (software bill of materials), software supply chains, automated governance, etc. Below is a list of several blogs, articles, and papers that cover these topics and are a great resource on your organization’s journey to a more secure future.

- About The Authors
Avatar photo

IT Revolution

Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.

Follow IT Revolution on Social Media

No comments found

Leave a Comment

Your email address will not be published.

Jump to Section

    More Like This

    Lanyards, Icebergs, and Mario: Lightning Talks from DOES Las Vegas 2022
    By Lucy Softich

    One of our favorite events at DevOps Enterprise Summit is the Lightning Talks. In…

    An Automated Governance Superhighway: A Story of Changing the Game to Achieve Your Goals
    By IT Revolution , Michael Edenzon , John Rzeszotarski

    It's okay not to be a perfect steward of DevOps, especially in highly regulated…

    The Frictionless Dev Experience
    By David Anderson , Mark McCann , Michael O’Reilly

    This post is excerpted from The Value Flywheel Effect: Power the Future and Accelerate…

    Sustainability in Software
    By David Anderson , Mark McCann , Michael O’Reilly

    This post is excerpted from The Value Flywheel Effect: Power the Future and Accelerate…