Just in time for the holiday season, when bad actors are generally most active, industry experts discovered a critical security flaw that shook the community. A new vulnerability that impacts devices and applications that utilize Java was identified in Log4j, the open-source Apache logging library. Known as Log4Shell, the flaw is considered to be one of the most significant security vulnerabilities ever detected.
In this post, we explain Log4Shell, and how the iTMethods team was able to proactively respond to the vulnerability and keep customers secure.
What is Log4Shell and who was affected by it?
Log4Shell allows attackers to execute malicious code remotely on a target computer. This means bad actors can easily steal data, install malware, or simply take control of a system via the Internet.
Given that the use of Log4j is so ubiquitous around the world, the impact was broad and had the potential to affect everybody. Log4j is embedded into so many things, you may not even know you are using it because it is packaged as part of some other application. This meant companies of all sizes across all industries were affected.
How did iTMethods become aware of this vulnerability?
iTMethods works closely with different security partners and continually monitors multiple online security feeds. As soon as our team became aware of the vulnerability, we immediately assessed the risk and impact across our customers and the tools running within our Platform.
What actions did iTMethods take to prevent critical data from being compromised and keep customers secure?
We went through our standard incident response process. Communication with our vendor partners was essential in determining whether our customers were at risk. Since the threat was new, some of our vendors were still investigating to find out if they were vulnerable. To safeguard our clients, we acted immediately by applying mitigation procedures wherever we could.
Our team performed a detailed analysis of all tools running on our Platform across all customers to assess the risk and impact of this vulnerability. We deployed security patches if available, implemented workarounds to mitigate the risk, and in some limited cases, in consultation with our customers, we temporarily shut down certain tools until patches were available.
We were in constant communication with our software vendor partners and kept our customers informed of the latest status and patches/workarounds that were available to mitigate or reduce the risk. Our focus was on securing their tools, which freed our customers up to focus on patching their applications - which may have also been vulnerable to Log4Shell.
If a company did not have the support of iTMethods, how would they be able to respond to this type of threat?
The Log4j vulnerability exposed several shortcomings for many organizations. If you do not have dedicated experts to detect, mitigate and resolve cybersecurity issues, you are leaving your organization vulnerable to potential threats.
iTMethods’ proactive customer centric approach allowed us to quickly identify, mitigate, and resolve any potential vulnerabilities. Our team of experts were in constant communication with our customers to ensure the safety of their systems, giving them the peace of mind needed to focus on their internal applications.
Organizations who don’t have their tools hosted on our Managed DevOps SaaS Platform, would need to reallocate resources from various departments to deal with this issue, taking them away from their core business needs.
What makes the iTMethods DevOps SaaS platform so secure?
For highly regulated customers, iTMethods provides a fully private deployment of the DevOps SaaS Platform that is only accessible through private connections. This deployment model combined with other security controls related to authentication and authorization, provide greater security around access control.
Observability is built into each customer deployment on the iTMethods Platform to meet and exceed enterprise security standards. iTMethods brings years of experience as a Managed Service Provider (MSP) and a decade’s specialization as a Cloud-Native company providing a fully Managed DevOps SaaS Platform. Given the pressing need for security and controls in DevOps products, our platform embeds security and governance from the ground up for your organization’s entire toolchain. We provide Single-Tenant hosting and our Transit Hub hybrid connectivity service allows seamless integration to your networks while complying with multi-cloud and on-premises security controls.
Our managed security and governance services are SOC2 Type 2 compliant and designed to help organizations effectively navigate both internal and industry compliance requirements. We work in close partnership with our customer's IT and product teams to help them focus on building and deploying applications faster, rather than managing the underlying infrastructure.
Is Log4Shell still a big threat?
For those companies who have not applied a patch for Log4Shell, the risk is high. To protect their systems, enterprises need to patch them as soon as possible. Organizations with patched systems still need to monitor their environments and make sure the patches are up to date.
That is why the development of DevSecOps culture is critical these days for securing environments. Adding additional security tools from vendors like Sonatype and others, that can scan client repositories for libraries that are affected and identify vulnerabilities like Log4Shell, have now become a mandatory measure to protect against the continuous onslaught of security threats.
In Conclusion – there will be more cybersecurity threats in the future. Having the security processes and tools in place is only the first step to avoid being exposed to any new risks.
DevOps tools are critical software factory assets with direct access to the code an organization runs, both to internal and external-facing applications. Vulnerabilities that allow a remote attacker to take control of a device on the internet can be devastating to a company leading to enormous financial losses, fines, and even reputational damage. Yet with dozens of different tools, each with a different update schedule and different security best practices, most organizations cannot confidently say that their DevOps tools are secured.
iTMethods is helping companies across the world, by securing their DevOps Toolchain in the cloud. This allows them to focus on their core business, not their DevOps Tools.
To learn more about how iTMethods can help keep your Toolchain secure, contact us today, or read our recent whitepaper where we explain how we are solving the biggest toolchain challenges that organizations are facing today.
iTMethods helps companies accelerate software delivery capabilities through their Cloud-native DevOps SaaS Platform. The Enterprise SaaS offering features a toolchain catalog comprised of best-of-breed DevOps tools including CloudBees, Jenkins, Github, GitLab, Atlassian, Sonatype, and many more. These tools are deployed to each customer’s specific requirements, including security, scalability, and 24/7 customer support.
See for yourself how our Managed DevOps SaaS Platform will help transform your business.