History & Case Studies
Heartbleed, Log4Shell, XZ Utils — landmark events revisited for the lessons that still apply today.
Heartbleed (CVE-2014-0160) — when memory leaked from the foundation of encrypted traffic
OpenSSL's memory over-read could leak private keys and sessions. The cause: the server trusted a claimed length and read adjacent memory. The lesson: act as if it all leaked — re-issue certificates, rotate all secrets — plus the weight of foundational software and memory safety.
Log4Shell (CVE-2021-44228) — the night the world feared a bug it couldn't even confirm it had
Log4j's CVSS 10.0 bug. The real fear was the transitive dependency — being affected through a library you didn't know you used. A passive logging path became an attack vector. SBOM, machine-monitoring, fast patching, and following the follow-up CVEs are the lessons.
The XZ Utils backdoor (CVE-2024-3094) — when trust itself was the target
A trusted maintainer planted a backdoor in xz — a supply-chain attack. One engineer's 'this feels slow' caught it just before stable. Code wasn't the target — people and trust were. Minimize dependencies, pin versions, build reproducibly, chase anomalies, and support maintainers.