• Thunder Technologies

Minimize Vulnerabilities with Serverless

We don’t customarily post during the holiday season but this is one of the simplest yet most important articles to date.

As I’m sure you are aware, critical vulnerabilities were found in Apache Log4j (CVE-2021–44228, CVE-2021–45046, CVE-2021–4104), perhaps the most widely used logging facility for enterprise software. What is our approach to addressing this vulnerability in our product Thunder for EC2 Serverless?

Nothing. We don’t use it. Amount of time and effort we spend dealing with it: zero. Merry Christmas.

Our product uses as much cloud-native infrastructure as possible, including logging through AWS CloudWatch logging. This means any logging issues are Amazon’s responsibilities. AWS either doesn’t use Log4j in CloudWatch (which is the case), or if they did they are highly motivated to fix the issue rapidly given their vast customer base and the potential security and reputation damage any delay would cause.

In a previous post I argued that perhaps the most significant benefit to going serverless is not the cost reduction, but the minimization of our ownership of attack surfaces, and the cost in both time and resources in constantly defending those surfaces. By outsourcing any infrastructure that is not core to our solution, we put most of the security headaches in the hands of our most trusted and resource-rich partner: AWS itself.

Attack threats are obvious in internet-facing solutions like openssl, but log4j? Log-4-freaking-j? If anything this highlights that attack surfaces are everywhere.

As an enterprise software consumer you have to worry about the vulnerabilities in your purchased solutions and if your vendor not only has taken the appropriate steps to minimize them, but in this case to fix new ones as they are revealed.

By purchasing a serverless solution you not only minimize the cost and complexity of your solution, you also arguably minimize the security concerns. For that reason alone, what are you waiting for in order to go serverless?

For more information on our serverless-based solution for business continuity in the AWS cloud check out a brief video and hands-on demo or contact us at

7 views0 comments

Recent Posts

See All