It has been reported that almost two years after Equifax’s massive hack, the majority of Fortune 100 companies still aren’t learning the lessons of using vulnerable software. In the last six months of 2018, two-thirds of the Fortune 100 companies downloaded a vulnerable version of Apache Struts, the same vulnerable server software that was used by hackers to steal the personal data on close to 150 million consumers, according to data shared by Sonatype, an open-source automation firm. That’s despite almost two years’ worth of patched Struts versions being released since the attack.
Tim Mackey, Technical Evangelist at Synopsys:
“Sonatype, and others, maintain public repositories containing open source components. While it’s reasonable to conclude that a download of an older component version containing a known vulnerability poses a risk to an organisation, arriving at the conclusion the vulnerable component was deployed is an entirely different matter. There are many ways software delivery chains can update or patch a version of a component without ever returning to the source. These processes often won’t be reflected in download data available to the repository owner for no other reason than the intent of the download isn’t known.
This is why organisations looking at open source governance utilise a three pronged approach to manage their software risks. First they gain visibility into the open source usage within any downloaded binaries – be they from a public repository or commercial vendor. Second they create a complete bill of materials, or inventory, for the open source in use – complete with an understanding of the origin of the component. Lastly, they continuously monitor for any new vulnerability disclosures associated with these dependencies. Only then can they create a patch strategy which embraces open source usage while defining risk to the organisation which is based on intent.”