This morning, Kate Fazzini of The Wall Street Journal wrote an article titled “Companies Still Downloading Flaw that Led to Equifax Breach,” dissecting new data we released around the number of organizations (10,000+) who continue to bring known-vulnerable versions of the Struts web application framework into their environments.
Equifax Isn’t Alone
The Equifax scenario has been highly publicized; but, as we noted here on Monday, there are at least eight additional “high profile” breaches related to the Struts framework. And, countless others tied to vulnerable open-source frameworks or components that haven’t made headline news. In fact, our 2018 DevSecOps Community Survey showed that 30% of organizations had a breach, or suspected a breach, related to a vulnerable open-source.
As Sonatype CEO Wayne Jackson told Kate and the WSJ “Engineers, sometimes, continue using older software because of technical requirements or programs and processes that are built on these existing platforms.” He continued, “It’s a symptom of a longer-term problem in information security involving the frequent re-use of flawed code in new applications and updates. It can put companies at substantial risk of breaches.”
Becoming Business Critical
While Sonatype has been talking about good cyber hygiene and the importance of understanding what’s in your applications for years, Kate’s article and interest in this topic from more traditional business publications like the WSJ and Fortune, is proof that the tides are rising and the C-Suite is waking up to how business critical open-source governance has become.
And, most importantly, they’re beginning to understand there are ways to mitigate the uncertainty associated with using open-source. With so many problems on the minds of CEOs, CIOs and CSOs that seem “too big to fix,” this doesn’t have to be one of them. Which makes Kate’s interest in the topic even more exciting.
As Wayne told Kate, and her readers, “adding security safeguards directly into the application building process and making patching initiatives more multi-faceted,” and by “providing stronger governance around the engineering process,” organizations can help prevent open-source vulnerabilities from making it into an application to begin with. While this is just one step toward complete governance - it can go a long way in ultimately preventing an open-source related breach.If you’re interested in reading what else Kate had to say on the topic you can find the full article here.