In the recent Equifax data beach, massive amounts of personal information (including the names, social security numbers, birth dates, addresses and driver’s license numbers of 145.5 million U.S. consumers) were potentially accessed by hackers. As a result, Equifax parted ways with its CEO and other executives. While Equifax has offered credit monitoring and identity theft protection to victims, the full extent of the damage still may not be known for some time.
Interestingly, the incident has sparked a discussion about the use of open source software by companies because Equifax claims the breach was caused by a vulnerability in an open source application framework called Apache Struts (the formal name of the vulnerability is CVE-2017-5638). Apache Struts is a very popular framework for building web applications and was used by Equifax as part of a web portal that allowed consumers to dispute the accuracy of credit information. For context, the vulnerability in Apache Struts is only one of many known and widely exploited security vulnerabilities in open source projects, including among others OpenSSL Heartbleed, gSOAP Devil’s Ivy, and Shellshock.
Equifax’s use of open source software is not unique. In a 2016 article in Wired, Kline Finley explained that open source can be the best way to develop software in part because it “lets companies share the burden of developing common infrastructure and compatibility standards.” According to Kline, companies are even starting to open source their own code. For example, ExxonMobil reportedly came out with an open source developer toolkit that will enable oil and gas companies to “adopt standard data formats.” Another example of an industry open source project is the Core Infrastructure Initiative in which industry giants like Amazon Web Services and Facebook have teamed together to strengthen open source security.
There is debate over who is to blame for the Equifax breach and whether Equifax took adequate steps to protect its network. In a press release containing the details of the incident, Equifax at one point appears to claim it identified and patched the vulnerability before the attack, but one also could argue that another section implies it may not have been fully patched until after the attack. The press release goes on to explain that, “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.” (Subsequent releases have not provided further insight.)
Some claim that Equifax must be at fault. For example, Dries Buytaert (an open source developer and founder of an open source platform) argues that open source software should not be blamed for poor security practices by Equifax. Buytaert writes, “Equifax was hacked because the firm failed to patch a well-known Apache Struts flaw that was disclosed months earlier in March.” Similarly, the Apache Software Foundation (Apache Struts is one of the foundation’s projects) also has fought back against implications that it is to blame for the breach.
Presumably, time will sort out the causes of the Equifax breach, which still shouts to companies take this opportunity to pay closer attention to their use of open source software. According to one software company (Black Duck), “Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using.” In an article published by IAPP, Amanda O’Keefe asserts that companies’ core operations are frequently run by software provided by third party vendors, but that the vendors may not disclose they are using open source software unless forced to do so. O’Keefe argues that companies should require vendors to provide a list of all open source software they utilize and the vendor should be held accountable if a vulnerable or unsupported version of the software is discovered. Along these lines, one resource available to companies when dealing with open source software is the OpenChain Project, which has developed and published an “industry-standard for managing Open Source compliance across the supply chain,” as well as related training materials. Click here for a copy of the latest version of OpenChain’s protocol.
Add Comment