Header background

Log4Shell highlights the need for secure digital transformation with observability, vulnerability management

The Log4Shell vulnerability highlighted the importance of developing a secure digital transformation strategy. Modern observability, combined with vulnerability management, helped Avisi keep its customers secure as they digitally transform.

Avision uses Dynatrace for Log4Shell
Avisi uses Dynatrace to find vulnerabilities in production.

In December 2021, a security vulnerability known as Log4Shell emerged with force.

It left the applications, systems, and IT infrastructure of millions of organizations open to widespread exploitation. This zero-day vulnerability enables a remote attacker to take control of a device or Internet-based application if the device or app runs certain versions of Log4j 2, a popular Java library.

In the ensuing hours and days, Log4Shell became a showstopper for many organizations, requiring them to take devices and applications offline to prevent malicious attackers from gaining access to networks and sensitive data.

For Avisi, a software development and cloud services company in the Netherlands, its Log4Shell response was immediate and automatic.

When Avisi’s IT team first learned about Log4Shell from a CVE RSS feed on December 10, Jeroen Veldhorst, Avisi’s chief technology officer, immediately consulted their Dynatrace dashboards.

“Dynatrace gave us an overview of all the places where we used Log4J 2 and might be vulnerable,” Veldhorst said. With Dynatrace Application Security, the Avisi team resolved Log4Shell on all their systems before they went home that night, and no one worked over the weekend.

Ultimately, this precise observability into affected systems enabled Avisi and its customers to pursue secure digital transformation, innovating quickly without sacrificing software quality and security.

Log4Shell: What’s at stake for Avisi and its customers

Avisi presides over a complex and highly changeable cloud environment for itself and its customers. It operates 55 Kubernetes clusters for large corporate and public-sector clients, with as many as 600 applications running on top of each cluster.

Many of Avisi’s customers develop custom applications for their industries, including financial services, transportation, and healthcare. The applications include custom code and, in some cases, sensitive data. When Log4Shell emerged, it put that data at risk.

As a service provider, Avisi is also subject to compliance with regulations such as the General Data Protection Regulation, or GDPR. Some of Avisi’s customers, such as those in the financial industry, “are quite strict on all the processes,” Veldhorst says. “They need certification that risks are mitigated as soon as possible, so they can trust the system.”

How Dynatrace Application Security changed the game for Avisi’s Log4Shell response

Like most technology organizations, Veldhorst’s team used to spend a lot of time manually tracking vulnerabilities with numerous lists, tools, and scans. “If you have to identify a vulnerability manually, you have to know all the components it consists of and what other kinds of attack factors are there,” Veldhorst says.

The Avisi team’s experience aligns with data from recent Dynatrace research that has found nearly 60% of organizations spend the largest amount of time “ensuring security vulnerabilities are detected and eliminated quickly.” While many scanning tools and manual methods are effective, they are designed to detect vulnerabilities  earlier in the lifecycle. For existing code already in production, this approach was unable to detect whether newly published vulnerabilities were exposed.

Unlike a traditional approach, Dynatrace automatically identified the Log4Shell-vulnerable systems in Avisi’s production environment and provided his team with a prioritized list of systems to remediate first.

“Since Dynatrace scans our platform continuously, it could tell us if there was a vulnerability [in production],” Veldhorst said.

Code-level visibility shows what matters—and what can wait

Veldhorst noted that it can be difficult to identify whether a vulnerable component is truly in use in the environment. Prior to turning to a modern observability approach, the team would waste precious time fixing low-priority instances, even if the affected library was used only for testing but not in production.

However, because of its code-level visibility, Dynatrace revealed where Avisi’s systems used the Log4j 2 application programming interfaces and code, indicating which systems required immediate attention. In some cases, “Dynatrace let us know [Log4j 2] was in there, but that it wasn’t a priority issue,” Veldhorst said.

As a result, what would have taken days, weeks, or even months to address using traditional methods, Veldhorst’s team resolved in hours with no costly fallout or follow-up. For their regulation-bound clients, Veldhorst used Dynatrace dashboards to demonstrate they had no Log4Shell-vulnerable systems.

“Dynatrace helps us to be in control and to know we’re secure while not having to spend a ton of money and effort to achieve this control,” Veldhorst said. This capability of control fits with Avisi’s philosophy of embracing change.

Secure digital transformation: Embracing change

Avisi’s services benefit its customers that are on the road to secure digital transformation and use cloud-native technologies to get there. These organizations have come to recognize that they need to keep pace with innovation cycles that have sped up. At the same time, they don’t want to sacrifice software quality or security.

Avisi’s customers “want to iterate as fast as possible and change the software as quickly as possible,” Veldhorst says. “[Even while they are] changing they want everything to perform perfectly. That’s why we developed our Avisi managed environment using Dynatrace for performance monitoring and application security.”

Veldhorst notes that some companies mistakenly equate security with not changing. “We are change driven, not state-driven,” he says. “Companies sometimes think, ‘We are going to fix this, put it in production and hope it won’t change for the next three years. But if you don’t change, that is the biggest risk of all.”

Companies must embrace the notion that digital transformation is not just about moving faster or digitizing paper-based or otherwise manual processes. Rather, digital transformation is about embracing the reality that change is the new constant in today’s business landscape. Shoring up systems against performance problems and security vulnerabilities requires embracing dynamism rather than expecting things to stay the same.

Having an observability platform that can capture this dynamism and respond intelligently to changing states in real time is now key to success in an ever-changing landscape. This puts IT teams—whether infrastructure, development, operations or DevOps—on the frontlines of ensuring business success.

For more about how Dynatrace helps organizations address Log4Shell, check out the Dynatrace Log4Shell resource center.