When a vast number of systems around the world was impacted early Friday morning with a critical open-source vulnerability breach, Log4j, PTC was able to keep its SaaS customers safe. Within just three hours, we mitigated that high severity issue for every customer using products that run on our SaaS platform, Atlas.
A Guest Expert Commentary: Steve Dertien, EVP Chief Technology Officer, PTC (photo PTC)
Our tight response time was possible because, in the world of SaaS delivery, everything is highly automated and built to scale simply. Software is updated with no effort on the part of the user. This also means that when critical security or software issues are found, no manual intervention is required at the customer site.
Specifically, PTC engineers discovered the Log4j 2 vulnerability issue at 3:22 a.m. EST and by 5:30 a.m. EST, the remediation had been pushed to our SaaS platform, Atlas. By 9:27 a.m. EST, the Onshape team had surveyed their entire service and were confident there were no exploitable vulnerabilities and no risk to customer data.
The entire duration of that update was completed before the CVE’s (Common Vulnerabilities and Exposures Organization) official statement was posted around 10:00 a.m. EST.
After completing the update, we then began analyzing our systems to determine whether the systems had been successfully exploited before the remediation. We found no evidence of any success but plenty of telemetry showing the growth of interest in exploiting the vulnerability.
Meanwhile, the rest of the world is left with manually resolving hundreds or thousands of systems on their own, most often manually, one at a time. In a crisis, as with the sudden onslaught of the Log4j 2 vulnerability, that’s an eternity and you can only surmise that the opportunity for being attacked through a backdoor has already been seized.