Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Equifax was 100% preventable -- But 18,000 others at risk

December 17, 2018 By Derek Weeks

Earlier today, Sonatype's Bill Karpovich appeared on Fox Business News to discuss the recent House report on the Equifax breach published by the Energy and Commerce Subcommittee on Oversight and Investigations.

Screen Shot 2018-12-17 at 4.45.32 PM

Karpovich reflected on findings from the House report that the breach at Equifax was 100% preventable -- as the vulnerability at the root of the breach was one that had been publicly disclosed days before.  According to the House report:

"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this criticalvulnerability. Equifax’s Global Threat and Vulnerability Management (GTVM) team emailedthis alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems."

Karpovich also reflected that while Equifax has made significant improvements over the past 15 months to its cyber security readiness and hygiene, many other companies continue to fall short on their secure development practices.  In fact, Sonatype researcher now say that over 18,000 businesses have downloaded known vulnerable versions of the Apache Struts component over the past six months.  Sonatype also revealed 1.2 million average monthly downloads from these companies during the same period.

 

Screen Shot 2018-12-17 at 4.55.04 PM

Companies not keeping track of known vulnerable downloads continue to place their customers, applications, and businesses at risk as application related breaches continue to grow.

According to recent research from a Forrester Research survey, 12% of respondents indicated they experienced at least one breach over the past year and 41% had experienced multiple breaches.  In another Forrester research survey, respondents indicated that the highest percentage of successful breaches involving an external attack were carried out on web applications (37%) and software vulnerabilities (35%).

To better understand what open source and third party components are in your applications, free analysis is available using our Nexus Vulnerability Scanner or DepShield service that is integrated into your GitHub repos.

 

Tags: OSS governance, Equifax breach, Struts2 vulnerability, struts breach, vulnerabilities, News and Views, Industry commentary

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.