In response to the news that new “Spring Break” critical remote code execution (RCE) vulnerability, which is affecting Pivotal Spring frameworks including Spring Boot, the world’s most popular framework for building web applications, Chris Wysopal, CTO at CA Veracode commented below.
Chris Wysopal, CTO at CA Veracode:
News of “Spring Break” – the critical remote code execution (RCE) vulnerability (CVE-2017-8046) affecting projects in Pivotal Spring frameworks including Spring Boot, the world’s most popular framework for building web applications – is another example of the continuous challenge that organisations face in maintaining the security of their applications.
The importance of reacting quickly to “Spring Break” cannot be underestimated. A similar RCE vulnerability found in Apache Struts 2 last year was the root of a recent mega-breach, which put at risk the data of 143 million Americans. Of course, mitigating the risk of even severe vulnerabilities is no mean feat – even the most severe flaws take time to fix and our own research has shown that just 14% of high severity flaws are closed within 30 days or less.
The most effective way for development teams to manage the constant threat of new vulnerabilities is to maintain a comprehensive inventory of all the open source elements that are included in their applications. For existing applications, running composition analysis can identify which components are in applications – but just 28% of organisations are doing this regularly. Only when taking advantage of alerts and notification of newly discovered vulnerabilities, which are then checked against an accurate, up to date inventory, can originations understand their exposure and how best to mitigate this risk.