This afternoon, the House Oversight Committee issued a report stating that the Equifax breach was entirely preventable with basic open source security measures in place.
The findings are detailed here by TechCrunch -- and confirm what many industry insiders already knew. Equifax failed to patch a vulnerability in Apache Struts that was publicly and responsibly disclosed months before by Apache. A short time after the public disclosure -- but well before Equifax could react -- the bad actors exploited the Struts vulnerability to steal consumer credit data on 150 million consumers.
Needless to say it's been a rough year for Equifax. But, the truth of the matter is that Equifax is not alone. In the last decade there have been hundreds, if not thousands, of companies — including Alaska Airlines, Community Health Systems, and JP Morgan Chase — which have suffered the exact same, easily preventable, mistake.
So what is the common mistake??? Simply stated, all of these companies failed to manage their software supply chain.
Ok. But, what exactly is "software supply chain management"?
It's a fairly new -- but well documented -- way of thinking that stems from W. Edwards Deming. It teaches us that whether you are manufacturing physical goods like automobiles, or digital goods like software applications, you should:
- Always source parts from fewer and better suppliers.
- Always use only the highest quality parts.
- Never pass known defects downstream.
- Continuously track and trace the location of every part across your entire supply chain.
Today, Equifax is undertaking a massive digital transformation and application security overhaul led by team of dedicated professionals including Jamil Farschi who just last week was named CISO of the year. It's a huge job. It won't be easy. But, with the right people, and the right partners, it's a safe bet that Equifax will learn from this experience and begin to manage their software supply chain from end-to-end.
At Sonatype, helping organizations like Equifax solve this problem is why we exist. Our sole mission is to unite software developers, security professionals, and IT operations on the same team and empower them to continuously identify and remediate open source risk, without slowing down innovation.
If you want help eliminating open source security risk from your software supply chain -- drop us line. We'd love to help.