In 1965, Ralph Nader became a household name with the publication of “Unsafe at Any Speed”, his pointed critique of the serious safety risks foisted upon consumers by the American automotive industry at the time. The oligarchs, ahem, leaders of this industry remained complacent with the delivery of their killing machines, emboldened further by an inept, if not corrupt, Federal Trade Commission. Companies were not held to account for their safety records, all of which were problematic. Because of this widespread lack of accountability, safety was not seen as a competitive advantage. And without fear of corporate downside, investments to address these risks were neither seen as prudent nor as a competitive advantage. Such is the state of some key aspects of application security today.
In March of 2017, a series of events began to unfold starting, perhaps paradoxically, with a software security fix being provided by the thoughtful and vigilant team on the Apache Struts project, which develops a very widely used piece of open source software. Because of the pervasive use of all kinds of open source software and the poor open source security practices of so many companies, bad actors -- who are now quite aware of this -- simply lie in wait for opportunity to knock. That opportunity comes in the form of an announcement of a high-profile security vulnerability and corresponding fix. When this occurs, a growing ecosystem of bad actors begin reverse engineering the fix, using it to craft an attack on the old version (often easy). With this working exploit kit in hand, they begin probing for weaknesses across the internet.
Given the lack of precise understanding many companies have in terms of the specific open source they use -- and they use enormous amounts of it -- there are plenty such weaknesses. On May 26th, more than two months after a fix had been made publicly available by the Struts team, one of these bad actors effectively walked right through the front door of Equifax, found the combination for the vault on the digital equivalent of a yellow sticky posted on the wall and was given direct access to the largest cache of personal credit data in history. They then proceeded to empty its contents over a period of more than two months before being detected.
While everyone has now heard of the Equifax compromise resulting in the theft of the personal information of nearly 200 million people, this is merely a glaring symptom of widespread systemic issues in application security, particularly with regard to open source software. These practices have not kept pace with the changes in the way software is developed -- namely, that the vast majority of code in today’s applications is open source software, often as much as 80% to 90% of the application. Companies get enormous benefits from free and open source software, with material competitive advantages conveyed to those that use it effectively. However, there is a bit of a double edged sword here. All of this powerful capability now requires that it be used wisely, lest it be turned against you.
While there is an understandably loud and growing virtual lynch mob marching on Equifax, we need to do a lot more than simply treat just this one symptomatic case. Fortunately for consumers, we now live in a post-Equifax-hack world where companies have to seriously consider the implications of losing 35% of their market capitalization overnight and their CIOs and CISOs being forced into retirement. Other board rooms across the world are no doubt looking upon their CIOs with circumspect eyes asking, “What are we doing about this?”
The poor safety record of the US automotive industry in the 1960s drove Ralph Nader to lead “Nader’s Raiders” in a movement to improve vehicle safety, generating a groundswell of support from public opinion and later widespread consumer demands for vehicular safety. Today, consumers are rightfully outraged with the breach of their personal information. This incident was an example of a widespread complacency that has allowed organizations to ignore poor practices and the risks that are resulting from them. In the case of Equifax, these behaviors led to a massive exposure with enormous consumer impact, all of which was very much avoidable.
Like the automotive industry was held to account some 50 years ago, I suspect there will be sufficient political will to do the same given the large cross section of the American public that has been forced to protect themselves because of what was basically carelessness. However, regardless of what transpires with the political process, there is cause for hope in terms of improvements to the application security practices of companies. Any company that develops software at any scale is now faced with the fact that they too could suffer an extinction level event if they shirk responsibility in their usage of open source. They have to assume they will be held to account for a lack of reasonable business practices associated with application security. Ignoring what are quickly becoming obvious risks will no longer be acceptable.
Significant gains in the security of open source usage are possible with little more than the will to achieve them, and they are far more economical than a $7,000,000,000 loss in shareholder value. The problem boils down to the following: Know what open source you are using, where you are using it and whether or not it is vulnerable or has become vulnerable . When it is vulnerable, manage the corresponding risks based on the nature of the vulnerability and the context within which it is being used. This is a major part of what solutions for software supply chain automation provide.
There are solutions for this available now, they are not burdensome to implement and they dramatically reduce exposure to application security risks. Perhaps more novel is that some of these solutions can also unlock significant development optimizations and reduce waste due to avoidable rework. These efficiency gains are often significantly greater than 10% of your total application development investment. In short, in concert with solving the application security problem, you can actually innovate faster, at lower cost and gain competitive advantage. There are enormous incentives to tackle these challenges. What are we waiting for?
. . .
I am passionate about open source and about helping people use it to develop better software, faster. The Equifax story should be a wake up call for anyone developing software. The good news is there are already solutions available to help make the world’s applications “Secure at Any Speed”. You can find some of these at sonatype.com. Regardless of the solution opted for, be it commercial, open source or roll your own… everyone should implement an effective one.