What do Log4Shell and a Global Pandemic Have in Common?

November 15, 2022 By Theresa Mammarella

4 minute read time

A big challenge of being a software professional is effectively communicating complicated concepts in a way that your audience can understand — whether it be the junior engineer on your team, a developer community, or management. Albert Einstein said it best:

“If you can't explain it simply, you don't understand it well enough.”

When Log4Shell broke the internet last December, the impact was such that the media surpassed the tech industry. It was discussed by major news outlets like The Wall Street Journal resulting in our non-technical friends and family members asking us to help them understand what was going on.

In an attempt to explain the impact of Log4Shell in simpler terms, we were able to compare the chaos that ensued in the Java community by relating it to our own experience planning a wedding during a pandemic. Both in wedding planning and in the software industry, it's not uncommon to find organizations planning only for the happy path or default scenario behavior. This blue skies only mindset led to unprepared brides and software organizations alike left in a hurricane when something inevitably went terribly wrong.

There are many lessons to be learned from the Log4Shell vulnerability. One major lesson is the dire need for open source dependency management within the tech industry. Open source components make up a staggering 90% of modern application dependencies. The complexity is such that it is a nontrivial amount of work for software organizations to understand and keep track of their third party dependencies. Because despite the amount of education and buzz around this CVE, nearly a year later 30-35% of Log4Shell users are still downloading critically vulnerable versions.

Due to its complexity, even technical professionals may not accurately grasp the gravitas of the situation we are in as an industry when it comes to the amount of risk associated with poor dependency management. The story of the unprepared pandemic bride is useful to explain this complicated issue in a simpler way.

The Story Of The Unprepared Pandemic Bride

Imagine you’re recently engaged to the person of your dreams and you’re excitedly planning a wedding together. Consider two scenarios:

Kadi (aka the happy path approach):

I was two months away from pulling off the perfect wedding, when all of a sudden the unthinkable happens: a global pandemic shuts down the world and my venue cancels the event I just spent a year planning. Cue emotional devastation and thousands of dollars lost in catering and venue deposits. My fiance and I were left with a wheel of different emotions, completely burnt out and picking up the pieces of our wedding to put it on again a year later.

Theresa (aka dependency management champion):

About a month after my engagement, I witnessed unsuspecting brides like Kadi facing tough decisions with their weddings being canceled. While I hoped the world would be long past the pandemic by the time my wedding rolled around, I knew I needed to be prepared for the worst. I carefully signed contracts only with vendors who were fully refundable and ready to work with me through any unexpected event.

When we were faced with hard decisions around restrictions again the following spring, we were able to reschedule the event to the following year pretty painlessly with the help of our reliable and trusted vendors.

Kadi’s approach to wedding planning and damage control is not unlike the approach that real software organizations last year dealt with when faced with vulnerability remediation. For Kadi, the events that led to postponing her wedding really were unprecedented. However, when it comes to software vulnerabilities, organizations should plan to patch vulnerable third party dependencies regularly, and not just for critical CVEs like Log4Shell.

Building a great software application, just like life and wedding planning, can and will always be messy. But the thing about planning a wedding is that at some point, there will (usually) be a happy ending. We were both lucky to have wonderful weddings despite facing some hurdles in the process. For software, when it comes to cybersecurity there is no happy ending in sight. Over the last three years there has been a 742% average annual increase in supply chain attacks, indicating that bad actors are not slowing down.

How are you preparing to face the next critical CVE? We talk about all this and how organizations should position themselves to get ready in our talk Expect The Unexpected: How To Choose Reliable Open Source Dependencies from Devoxx Belgium 2022.’

 

 

This piece was written as a partnership between Kadi Grigg and Theresa Mammarella.

Tags: AppSec, devsecops, Post security/devsecops, Log4j, DevZone

Written by Theresa Mammarella

Theresa (she/her) is a developer advocate and open source contributor for Java runtimes and compiler projects.