What do Log4Shell and a Global Pandemic Have in Common?

A big challenge of being a software professional is effectively communicating complicated concepts in a way that your audience can understand — whether it be the junior engineer on your team, a developer community, or management. Albert Einstein said it best:

“If you can’t explain it simply, you don’t understand it well enough.”

When Log4Shell broke the internet last December, the impact was such that the media surpassed the tech industry. It was discussed by major news outlets like The Wall Street Journal resulting in our non-technical friends and family members asking us to help them understand what was going on.

In an attempt to explain the impact of Log4Shell in simpler terms, we were able to compare the chaos that ensued in the Java community by relating it to our own experience planning a wedding during a pandemic. Both in wedding planning and in the software industry, it’s not uncommon to find organizations planning only for the happy path or default scenario behavior. This blue skies only mindset led to unprepared brides and software organizations alike left in a hurricane when something inevitably went terribly wrong.

Sponsorships Available

Sponsorships Available

Sponsorships Available

There are many lessons to be learned from the Log4Shell vulnerability. One major lesson is the dire need for open source dependency management within the tech industry. Open source components make up a staggering 90% of modern application dependencies. The complexity is such that it is a nontrivial amount of work for software organizations to understand and keep track of their third party dependencies. Because despite the amount of education and buzz around this CVE, nearly a year later 30-35% of Log4Shell users are still downloading critically vulnerable versions.

Due to its complexity, even technical professionals may not accurately grasp the gravitas of the situation we are in as an industry when (Read more...)