January 27, 2022 By Shane O'Rourke 3 min read

In December of 2021, enterprises once again faced the nightmare of dealing with a critical security vulnerability.

This time it was the Log4j/Log4Shell exposure that surfaced just in time for the holidays. See these posts from the Security Intelligence blog for a closer look at the Log4j/Log4Shell vulnerabilities as they first occurred:

Given how pervasive Log4j is and how frequently it is used by both enterprise apps and cloud services, the inevitable “all hands on deck” prioritization call occurred, refocusing enterprise operations and application development teams to assess whether their applications were impacted, and if so, how to deal with the immediate remediation required.

Be proactive, not reactive

The discovery of vulnerabilities in software — some significant like Log4j and many others less significant — is accelerating. Fortunately, these vulnerabilities are often discovered by so-called “white hat” hackers — individuals or groups who are actively working to break code so that fixes can be written and deployed before they can be exploited. 

The Java ecosystem is a particular target for this kind of discovery since Java is so widely used on a global scale. Much of the Java ecosystem relies on open source, which is beneficial for collaboration and innovation, but security does not always enter in as a top concern. Even with security-minded and security-focused contributors, enterprises should anticipate that exploits will be found and that security will be broken. For example, see the various security algorithms like MD5, SHA-1 and SSL-3.0 that are now considered insecure.

In the case of Log4j, which allowed for remote code exploits by providing carefully crafted text, an attacker could easily take over a machine. That, of course, meant rapid evaluation was necessary across enterprise stacks to know if the Log4j was being used directly by their applications or was bundled in software they deployed. 

Depending on the tools, data management and inventory tracking in place, this assessment could be nearly instant, or it could take days or even weeks. For some applications teams, this had a temporary stifling impact on forward development as they dealt with the immediate crisis at hand, resulting in potentially significant disruption to business plans. The acceleration in vulnerability discovery is becoming part of the “new normal” and enterprises need to be ready for the next one. 

Learning from vulnerabilities and achieving stronger security

By now, many teams are engaged in retrospective activities. This means reflecting on processes and tools to see how they can have a greater degree of certainty in assessing if their applications may have an exposure in the future, dealing with the exposure in an expedited fashion and having the audit traceability that brings peace of mind and surety.  

For our WebSphere clients, that surety comes in the form of IBM WebSphere Automation, which was specifically developed with the goal to enable your teams to optimize their operations, respond to incidents efficiently and promote stronger security of their IT estate. WebSphere Automation consolidates critical WebSphere information across environments and deployment types into a single dashboard. It then automatically recognizes relevant CVEs. This will greatly reduce the manual effort required and remove the monotonous tasks of understanding your WebSphere security posture, allowing you to respond to security vulnerabilities faster.

IBM WebSphere Automation in action

Watch this quick demo of how WebSphere Automation detects security vulnerabilities like Log4j and helps in the remediation response and traceability:

Try it for yourself

7-day Hosted Trial

  • In-browser trial for WebSphere Automation, hosted in IBM Cloud, no setup required.
  • Provided instructions guide the user through the capabilities of WebSphere Automation. Technical skills are not required.

60-day On-Prem Evaluation

  • Try WebSphere Automation free for 60 days in your own environment.
  • WebSphere Automation includes entitlement for Red Hat OpenShift and all necessary dependencies.
Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters