It has been reported that Equifax appeared before the United States Senate yesterday to discuss what the company has learned from one of the largest data breaches to hit corporate America. Last night, the Senate released a report on how Equifax handled its data security leading up to the data breach. The report details that they “neglected” cybersecurity ahead of the devastating breach.
Tim Mackey, Senior Technical Evangelist at Synopsys:
“The Equifax breach, related to the Apache Struts vulnerability, showcased the disconnect between commercial software security practices and their open source equivalents. With a commercial software solution, the vendor is in a position to push security information to consumers. With open source products, unless an effective inventory of open source components in use is maintained, it is difficult to manage an effective patch management strategy. For example, open source is often available from multiple distribution channels and a patch designed for one distribution channel may not be effective when applied to the same component obtained from a different channel.
While the Senate report highlights the value of periodic scanning for vulnerable open source components, that practice can easily let vulnerable components be deployed when an organisation uses Agile development practices commonly referred to under the DevOps umbrella. Instead of periodic scans, comprehensive inventories of open source dependencies should be created during development and when applications care deployed. Those dependencies should be fed into a continuous monitoring solution designed to identify when new security disclosures are published. When combined, such a solution allows for an accurate picture of the security exposure within a given application to be accurately measured in near real time. Armed with the knowledge of a vulnerable open source component and the origin of the component, an effective patch strategy can be created.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.