Based upon the tremendous amount of publicity surrounding the recent data breach at Equifax, as stewards of the Central Repository we felt it was important to share our perspective on the matter:
- Apache Struts: Apache Struts is a popular open-source and free Model-View-Controller (MVC) framework for Java. It is developed and maintained by an active and highly responsible community of volunteer contributors. The Apache Struts project has a long and well documented history of securing, hardening, and maintaining the software that it produces.
- Struts Vulnerabilities: Last week the Apache Struts project team disclosed to the world two different critical vulnerabilities in Struts2 that would expose applications to remote execution of code and enable direct access to customer-critical data. In both cases, and in keeping with their long standing practice, the Apache Struts team made fixes available prior to publicly disclosing the vulnerabilities.
- Equifax Breach Disclosed: Separately, Equifax announced last week that it had suffered a massive security breach that exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans. Equifax said the breach happened between mid-May and July 2017. It discovered the hack on July 29. It informed the public on September 7, and reports suggest that a security vulnerability in Apache Struts was the cause of the breach.
At Sonatype, we don't pretend to know for certain what happened at Equifax. We do know that Apache Struts has a tremendous track record for finding security vulnerabilities and making fixes available in a timely manner.
Organizations such as Equifax who leverage open source to accelerate innovation are themselves responsible for practicing appropriate hygiene in a timely manner when fixes for vulnerabilities are made available.
For far too long, businesses have relied on network-based cybersecurity tools to defend the perimeter of the organization. Recent events at Equifax serve as a stark reminder that perimeter defenses by themselves are insufficient to protect critical data when in fact hackers are increasingly attacking vulnerabilities that exist in the application layer.
80% to 90% of every modern application consists of open source components. Therefore, in order to avoid unnecessary risk, organizations MUST automatically and continuously govern the quality of open source components and third-party libraries within their software supply chains. To ignore this problem anymore is simply negligent.