Earlier today, Sonatype's Bill Karpovich appeared on Fox Business News to discuss the recent House report on the Equifax breach published by the Energy and Commerce Subcommittee on Oversight and Investigations.
Karpovich reflected on findings from the House report that the breach at Equifax was 100% preventable -- as the vulnerability at the root of the breach was one that had been publicly disclosed days before. According to the House report:
"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this criticalvulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailedthis alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems."
Karpovich also reflected that while Equifax has made significant improvements over the past 15 months to its cyber security readiness and hygiene, many other companies continue to fall short on their secure development practices. In fact, Sonatype researcher now say that over 18,000 businesses have downloaded known vulnerable versions of the Apache Struts component over the past six months. Sonatype also revealed 1.2 million average monthly downloads from these companies during the same period.
Companies not keeping track of known vulnerable downloads continue to place their customers, applications, and businesses at risk as application related breaches continue to grow.
According to recent research from a Forrester Research survey, 12% of respondents indicated they experienced at least one breach over the past year and 41% had experienced multiple breaches. In another Forrester research survey, respondents indicated that the highest percentage of successful breaches involving an external attack were carried out on web applications (37%) and software vulnerabilities (35%).
To better understand what open source and third party components are in your applications, free analysis is available using our Nexus Vulnerability Scanner or DepShield service that is integrated into your GitHub repos.