Following the news yesterday that Chinese government hackers have been indicted for breaching Equifax in 2017, please see comment below from Sonatype CEO Wayne Jackson.
The news that Chinese government hackers have been indicted for breaching Equifax is a powerful reminder of just how critical open source security is, and needs to serve as a call to arms for enterprise software development and security teams.
Equifax was not the only target. Within 24 hours of the Apache disclosure, hackers attempted to exploit the Struts vulnerability in as many as 10 different organizations, including the US DoD.
Independent of today’s news, one detail that warrants special attention is this: what actually happened at Equifax during the three days between the Apache Struts vulnerability being disclosed on March 7th and the initial breach on March 10th?
Adversaries have changed their approach to find more efficient attack vectors, and the speed at which they’re able to infiltrate applications directly is astounding. The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk by 93.5% in the last decade. In this instance, hackers took just 72 hours between the Apache Struts vulnerability being disclosed to the initial breach.
Despite this, 57% of the Fortune 100 were still using the same faulty software component that enabled the Chinese government hack, in the year following the Equifax breach. And too many organisations continue to invest in perimeter and network security, rather than application security, even though in 2019, 2 years after the initial breach, 1 in 4 companies confirmed or suspected they had a breach due to an open source vulnerability.
If businesses fail to practice proper software governance, and build vulnerable components into their applications, without taking the threat of supply chain attacks seriously, they expose themselves and their customers to significant risk. As these revelations show, this can include infiltration from nation-state actors.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics