Sonatype recently reported that only one in five companies have updated their vulnerable versions of Apache Struts, the open source framework hackers leveraged to pull off the 2017 Equifax breach that left 145 million records compromised.
There was a time when identifying vulnerabilities in open source software was an enormous challenge. Back when the Heartbleed vulnerability was disclosed in 2014, figuring out which applications within an organization’s portfolio contained the vulnerable OpenSSL component required mature processes and tools for asset management and vulnerability detection. But today, those affected by the Struts2 vulnerability benefit from the widespread availability of vulnerability scanning technologies and source code analysis tools. So why do critical vulnerabilities remain unsecured?
The answer lies within complex, rapid application development and deployment cycles that are misaligned with the vulnerability-management approach to AppSec that most organizations adopt. In many organizations, misaligned DevSecOps (or DevOpsSec or SecDevSecOpsSec) processes shift the burden to develop and update secure software onto developers. But security is not a developer’s primary concern – pushing code into production with new features and capabilities is their bread and butter. The result? Security is an afterthought and backlogs of un-patched vulnerabilities add up while developers (justifiably) prioritize the business-critical software solutions they are hired to develop.
If Heartbleed stressed the need for visibility into software vulnerabilities, the Struts2 vulnerability stresses the need for a new approach to AppSec. Prevoty Autonomous Application Protection is a runtime application self-protection (RASP) solution that integrates security directly into applications with a single, autonomous plugin. By enabling applications to defend themselves, Prevoty shifts the vulnerability management-driven approach to AppSec that repeatedly fails to protect organizations from attack, to an attack-management approach that protects applications against real attacks in real time, regardless of whether or not software vulnerabilities have been patched and updated.
As organizations continue to accelerate their development and deployment processes, they need controls in place to make sure the vulnerabilities that may be inherent in their code or in the frameworks within their applications are secure by default. So whether it is Struts2, Heartbleed, or another zero-day vulnerability hiding in the application stack, it will not be exploited by nefarious actors. This allows organizations to focus their development efforts on business requirements, sleep better at night knowing that their applications are protected against attacks, and generate real telemetry on attempts to exploit their application code base.