Four days ago, we saw a critical vulnerability in Struts2 that would leave web applications vulnerable to remote execution of code and enable direct access to customer-critical data. Early the next morning, we saw a second severe Struts2 zero-day appear. Then on Thursday we heard that 143 million consumer records were stolen from Equifax as a direct result of the Struts2 vulnerability
Organizations like Equifax are continuously deciding where and how to invest in cybersecurity based on a cost-benefit assessment, but at the end of the day they are ultimately liable for the security of their data and systems. Companies who reap the productivity benefits of using open source components in their development cannot turn a blind eye to security defects that plague some of those components.
In our State of the Software Supply Chain Report (July 2017) we declared, "in the modern economy if you’re not innovating fast enough, you’ll get run over by someone else who is". For those same organizations, if they are not modernizing their security posture to keep pace with their ever-accelerating development practices, their defenses will be cracked. Such was the case with Equifax.
Software developers and corporate CEOs are both allergic to waste and instead prefer to invest their time toward innovation. Given the choice of spending 15 hours building something from scratch or 15 minutes polishing a piece of code from the community, both the developer and CEO will almost always choose open source.
It used to be true that if a particular piece of software was exposed to a large enough community of developers, then problems will be easily identified and quickly fixed. Velocity was maintained. This simple concept is why use of open source components often led to higher quality software applications and why organizations such as Equifax readily embraced it.
While the warning signs of relying on known vulnerable open source components have been posted for years, too many organizations have been relying on antiquated, difficult-to-defend, and manual governance of their software supply chains. Today, more vigilience is required. We can't simply brush off this latest breach as "just another hack". It is time that we take the responsibility to modernize and automate our software supply chain defenses in order to ensure a more secure future for all of us.
Note: Any readers wishing to analyze their applications for known vulnerable open source components have access to Sonatype's free OSS Software Bill of Materials service. Analysis of applications takes just a few seconds. For those readers who have Sonatype's Nexus Lifecycle or Firewall products, Struts2 defect updates and remediation path guidance for the latest vulnerabilities were available on September 5th.
The Equifax - Struts2 link was originally reported here on September 8th.