Black Duck Releases Free Tool to Help You Avoid Becoming the Next Equifax

Equifax recently became headline news for all the wrong reasons when it revealed it had been the victim of a data breach that exposed the sensitive financial history and personal data of more than 140 million people. Equifax also shared that the attackers were able to gain access by exploiting a well-known vulnerability in its web application. Black Duck wants to help other companies avoid falling victim to the same scenario, so it has released a new free tool.

The flaw attackers were able to exploit with Equifax is one of the vulnerabilities in Apache Struts, a widelyused open-source web application framework. The specific flaw leveraged in the Equifax breach was CVE-2017-5638, which was originally disclosed in March of this year. There have been other major flaws in Apache Struts discovered since then.

Updates to Apache Struts have been released to address these flaws; however, patching is perhaps easier said than done. Because Apache Struts is a web application framework and not a specific tool or application, there may be elements of it woven throughout the network in various snippets of code. In many cases, Apache Struts is used with mission-critical applications as well, which makes updating or patching a more challenging task.

Although it might be more difficult to find the vulnerable apps or a bigger burden to update critical apps, it still needs to be updated and patched. If you don’t, you may find yourself in the headlines like Equifax.

Black Duck is in the business of helping customers secure and manage open-source software, particularly in dynamic DevOps and container environments. It recently launched Threat Check for Struts, a free tool to enable organizations to determine if they are at risk from Apache Struts vulnerabilities, including the CVE-2017-5638 flaw that took down Equifax.

“The Equifax breach never should have happened,” said Black Duck CEO Lou Shipley. “Equifax has acknowledged that. Even though a patch for the exploited Apache Struts vulnerability had been for two months available when the breach occurred, it hadn’t been applied. Unfortunately, this is something we see time and again: a known, fixable open-source vulnerability not being remediated.”

Black Duck wants to help ensure that same mistake isn’t made by other companies. Apache Struts is widely used by many—if not most—Fortune 500 companies to build and deploy web applications spanning industries such as financial services, health care, education, retail and media.

With the rise of DevOps and containers, organizations rely increasingly on open-source tools and platforms. Black Duck estimates that as much as 80 percent to 90 percent of the code in modern applications is derived in some way from open-source code, yet most companies lack visibility into what open-source code is running on their networks and where. A free tool such as Threat Check for Struts that can help automate discovery of vulnerable open-source code is invaluable.

Tony Bradley

Featured eBook
The Bot Problem: Effective Detection, Analysis & Blocking

The Bot Problem: Effective Detection, Analysis & Blocking

Bots account for 50% of all web traffic. In the U.S. alone, threat actors will cause over $12 billion in losses by next year. How do companies fight against the ever-multiplying barrage of bot attacks from bad actors? Security experts across all industries face the same challenge: how do I improve defenses against bot-generated traffic? This ebook reveals ways ... Read More
Signal Sciences

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter and Facebook.

tony-bradley has 91 posts and counting.See all posts by tony-bradley