Investigations following the Equifax breach revealed that a vulnerability in the Apache Struts 2 framework was the door hackers exploited to access the private financial data of 143 million consumers. The kicker? Equifax had a patch for the vulnerability two months before the hack, but never got around to installing it. Deploying a patch can be a complicated process that requires months of preparation. There are many reasons a patch might be delayed or disregarded, it happens every day. But the consequences can be dire.
The Equifax breach is only the latest incident to shed light on the challenges associated with securing open source software (OSS). It has renewed an important application security conversation, one that ITSP Magazine, Prevoty, and a panel of security leaders contributed to in a webinar titled: “Application Security in an Open Source World.”
Prevoty’s co-founder and CTO Kunal Anand, ITSPmagazine Editor-in-Chief Sean Martin, Michigan State University CIO Rob McCurdy, New York Life CVP Nate Smolenski and Andy Wickersham, an AppSec leader at a Fortune 100 company, all took part in the discussion.
“Application security is becoming more difficult both from an executional and operational standpoint,” said Nate Smolenski. “You just keep finding things that are obvious security vulnerabilities, but nothing ever gets fixed. Or if it does, it takes so long that you’re not really benefiting the business. You end up with a Frankenstein process that is very challenging.“
Application security has become increasingly complex over the past five years for a number of reasons: computation is moving to the cloud and becoming ephemeral, and we’re seeing a shift away from large monolithic applications to micro-services and OSS. It’s not just applications that are open source, it’s a bunch of functions within the stack. It could be the containers, the operating system, the underlying databases, and any number of other components. In a poll conducted during the webinar, 75 percent of the participants said most of their enterprise apps rely, in part, on open source components.
“Speed to market requires that you really can’t move forward without open source. You need it to meet the deadlines that are put on app development teams,” said Andy Wickersham.
“I’ve heard folks suggest that we should stop using open source software. I just don’t see how that’s possible, at least not at a large enterprise,” said Rob McCurdy. “But let’s say you could do that. Is that really fixing the problem? Are you really going to write code that is more secure? Do you have the ability to write 100 percent secure code?”
OSS provides a significant advantage for many organizations. Ready-made software solutions for common computing problems that are available without licensing fees are a benefit for all. But organizations need a new approach to mitigating the risks associated with incorporating OSS into their critical applications.
“We need to do a better job of inventory management. We need better visibility from inside the applications. Dependency checking needs to improve,” said Kunal Anand.
There is no magic wand that can secure applications 100 percent. Organizations need to deploy an in-depth defense to fend off potential attacks. This webinar features a cross-industry panel of security leaders sharing the best practices they've put in place to secure applications that leverage OSS.