The ecosystem of software

Our stories, Storytelling

An illustration showing a pixelated tree with red splotches on some of its roots.

19 September 2025

A collaboration between software researcher Nkiru Ede and illustrator Jean Donaldson. Edited by Jonathan Burgess.

December 2021 was a busy month for security teams around the world. A zero-day vulnerability in Log4j, a seemingly harmless Java logging framework, rocked the digital world in early December 2021. It all began quietly, just as the world was preparing for the holiday season. On Thursday 9 December, security researchers at Alibaba’s cloud security team discovered and privately disclosed the flaw to the Apache Software Foundation, the maintainers of Log4j.

Before the December 2021 incident, Log4j seemed like just another helper. But buried inside was a serious flaw. This vulnerability, which came to be known as Log4Shell, gave attackers an open door. All it took was a single, specially crafted message, and hackers could take complete control of the affected system remotely, silently, and instantly. No passwords were needed. No firewall needed to be breached. Just one well-placed message, and the attacker was in.

To understand why this was such a big deal, it’s worth knowing a bit about Java. Java is one of the most widely used programming languages in the world. It is the backbone of many modern digital services. It is used to build many things, from Android apps to popular games like Minecraft and massive enterprise systems like Netflix, Amazon, LinkedIn, Spotify and Uber.

As a result of open-source software development, when developers build Java applications, they rarely write every piece from scratch. Instead, they rely on prebuilt, reusable bits of code like Log4j that are then plugged into larger systems. Log4j keeps records and logs messages behind the scenes to help developers monitor software behaviour. It is widely used in millions of applications across the world.

The consequences were immediate and global. Tech giants like Amazon, Apple, and Google raced to patch their systems. Smaller companies, lacking the same resources, were left scrambling. Governments, including the United States and Germany, called emergency meetings and issued cybersecurity warnings. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, ordering federal agencies to urgently identify and fix any affected systems.

But the real panic wasn’t just about how dangerous the vulnerability was, it was about how invisible Log4j had become. Because Log4j was often included indirectly, buried under layers of third-party software and open-source packages, many organizations didn’t even know they were using it. In some cases, a single product might include dozens of other packages, each of which could bring Log4j along for the ride without explicitly stating it. This made identifying and removing the vulnerability like looking for a needle in a digital haystack.

This incident wasn’t just a wake-up call about a single piece of software. It exposed a deeper issue: our digital world is built on a complex, interconnected web of software components, often shared, reused, and layered on top of one another across thousands of systems.

We often think of software as something abstract and automated, but more often than not, every line of code was written by a human being, reviewed by a human being, and maintained (or abandoned) by a human being. These human decisions and constraints shape the software that powers everything from your mobile banking app to the cloud servers behind your favourite streaming platform. And this isn’t just about developers or tech companies.

An illustration showing a pixelated tree with health and unhealthy roots.

We are all part of this ecosystem, whether we realize it or not. As users, we benefit from the speed, convenience, and interconnectedness that modern software enables. And just like in natural ecosystems, this interdependence can be a strength, but it also introduces fragility. When one critical piece breaks, the ripple effects can be enormous. Log4Shell showed how a vulnerability in a single component, maintained by a small group of unpaid volunteers, could cascade into a global security crisis.

I like to think of a software ecosystem as a network of interconnected software packages within a shared environment where mutually beneficial interactions facilitate the exchange of resources. These interactions stimulate developers’ activity and trigger the wider adoption of their individual contributions.

An illustration showing pixelated trees with healthy and connected roots.

The software ecosystem is a complex system, and this complexity is a byproduct of evolution, collaboration and innovation. Understanding how these ecosystems grow, evolve, and adapt is crucial for building robust and sustainable systems – and avoiding serious consequences like the Log4Shell incident.

 

Nkiru has been exploring the ecosystem of software as a PhD candidate on Te Pūnaha Matatini’s Networks of knowledge sharing project.

Jean Donaldson is a designer and illustrator who works with Toi Āria: Design for Public Good. She is based in Te Whanganui-a-Tara. You can see more of her work at https://jeanmanudesign.com/.

Jonathan Burgess is an award-winning communications specialist who specialises in translating technical detail for a general audience.