Four days ago, we saw a critical vulnerability in Struts2 that would leave web applications vulnerable to remote execution of code and enable direct access to customer-critical data. Early the next morning, we saw a second severe Struts2 zero-day appear.
Then on Thursday, we heard that 143 million consumer records were stolen from Equifax due to the Struts2 vulnerability.
Organizations like Equifax are continuously deciding where and how to invest in cybersecurity based on a cost-benefit assessment, but ultimately, they are responsible for the security of their data and systems. Companies who reap the productivity benefits of using open source components in their development cannot blindly ignore security defects that plague some of those components.
In our State of the Software Supply Chain (July 2017) report, we declared, "in the modern economy if you're not innovating fast enough, you'll get run over by someone else who is." For those same organizations, if they are not modernizing their security posture to keep pace with their ever-accelerating development practices, their defenses will be cracked. Such was the case with Equifax.
Software developers and corporate CEOs are both allergic to waste and prefer to invest their time toward innovation. Given the choice of spending 15 hours building something from scratch or 15 minutes polishing a piece of code from the community, both the developer and CEO almost always choose open source.
It used to be true that if a particular piece of software was exposed to a large enough community of developers, problems will be easily identified and quickly fixed. Velocity was maintained. This simple concept is why open source components often led to higher quality software applications, and why organizations such as Equifax readily embraced it.
While the warning signs of relying on known vulnerable open source components have been posted for years, too many organizations have been relying on antiquated, difficult-to-defend, and manual governance of their software supply chains. Today, more vigilance is required. We can't simply brush off this latest breach as "just another hack." It is time to take the responsibility to modernize and automate our software supply chain defenses, to ensure a more secure future for all of us.
Note: Any readers wishing to analyze their applications for known vulnerable open source components have access to Sonatype's free OSS Software Bill of Materials service. Analysis of applications takes just a few seconds. For those readers who have Sonatype Lifecycle or Sonatype Repository Firewall products, Struts2 defect updates and remediation path guidance for the latest vulnerabilities were available on September 5th.
The Equifax - Struts2 link was originally reported here on September 8th.
Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek WeeksTags
