In December of 2021, enterprises once again faced the nightmare of dealing with a critical security vulnerability.
This time it was the Log4j/Log4Shell exposure that surfaced just in time for the holidays. See these posts from the Security Intelligence blog for a closer look at the Log4j/Log4Shell vulnerabilities as they first occurred:
Given how pervasive Log4j is and how frequently it is used by both enterprise apps and cloud services, the inevitable “all hands on deck” prioritization call occurred, refocusing enterprise operations and application development teams to assess whether their applications were impacted, and if so, how to deal with the immediate remediation required.
Be proactive, not reactive
The discovery of vulnerabilities in software — some significant like Log4j and many others less significant — is accelerating. Fortunately, these vulnerabilities are often discovered by so-called “white hat” hackers — individuals or groups who are actively working to break code so that fixes can be written and deployed before they can be exploited.
The Java ecosystem is a particular target for this kind of discovery since Java is so widely used on a global scale. Much of the Java ecosystem relies on open source, which is beneficial for collaboration and innovation, but security does not always enter in as a top concern. Even with security-minded and security-focused contributors, enterprises should anticipate that exploits will be found and that security will be broken. For example, see the various security algorithms like MD5, SHA-1 and SSL-3.0 that are now considered insecure.
In the case of Log4j, which allowed for remote code exploits by providing carefully crafted text, an attacker could easily take over a machine. That, of course, meant rapid evaluation was necessary across enterprise stacks to know if the Log4j was being used directly by their applications or was bundled in software they deployed.
Depending on the tools, data management and inventory tracking in place, this assessment could be nearly instant, or it could take days or even weeks. For some applications teams, this had a temporary stifling impact on forward development as they dealt with the immediate crisis at hand, resulting in potentially significant disruption to business plans. The acceleration in vulnerability discovery is becoming part of the “new normal” and enterprises need to be ready for the next one.
Learning from vulnerabilities and achieving stronger security
By now, many teams are engaged in retrospective activities. This means reflecting on processes and tools to see how they can have a greater degree of certainty in assessing if their applications may have an exposure in the future, dealing with the exposure in an expedited fashion and having the audit traceability that brings peace of mind and surety.
For our WebSphere clients, that surety comes in the form of IBM WebSphere Automation, which was specifically developed with the goal to enable your teams to optimize their operations, respond to incidents efficiently and promote stronger security of their IT estate. WebSphere Automation consolidates critical WebSphere information across environments and deployment types into a single dashboard. It then automatically recognizes relevant CVEs. This will greatly reduce the manual effort required and remove the monotonous tasks of understanding your WebSphere security posture, allowing you to respond to security vulnerabilities faster.
IBM WebSphere Automation in action
Watch this quick demo of how WebSphere Automation detects security vulnerabilities like Log4j and helps in the remediation response and traceability:
Try it for yourself
7-day Hosted Trial
- In-browser trial for WebSphere Automation, hosted in IBM Cloud, no setup required.
- Provided instructions guide the user through the capabilities of WebSphere Automation. Technical skills are not required.
60-day On-Prem Evaluation
- Try WebSphere Automation free for 60 days in your own environment.
- WebSphere Automation includes entitlement for Red Hat OpenShift and all necessary dependencies.