Q&A: Why SMBs should heed lessons from Equifax breach and mitigate ‘open source’ risks

Hackers were able to ransack Equifax last year, and steal personal data for some 143 million citizens, by exploiting a vulnerability in an open-source component, which the credit bureau failed to lock down.

The hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal — and is widely used by developers of Fortune 100 companies to build web applications.

Related article: Beware of open-source vulnerabilities lurking all through your network

It turns out that Apache Struts is widely deployed among small and mid-sized businesses, as well. LastWatchdog recently had a conversation with Rami Sass,  CEO and co-founder of WhiteSource Software, a supplier of open source management systems. We discussed the exposure companies face, with respect not just to Apache Struts, but also many other open source components. Here are excerpts, edited for clarity and length:

LW: How would you characterize the exposure companies are facing today due to the engrained used of open source systems?

Sass: Because open source projects like Apaches Struts2 for instance are used by so many organizations, many of which are handling valuable customer data, all kinds of businesses and organizations can find themselves exposed to the risk of having their data stolen. For an enterprise, this can be destructive for their bottom line. SMBs can be wiped out if a breach occurs, unable to weather the storm from the fallout.

LW: Just how dependent are with on open source at this point in time?

Sass

Sass: Open source code is the cornerstone of the software industry, comprising an estimated 60 % to 80% of the products out there. Developers in all sectors depend on open source for working faster and more efficiently, using it to add necessary functions to their apps. It doesn’t matter if you’re Microsoft or a small app developer, if you’re making apps, then you’re using open source. In the case of the Equifax breach, they were hacked through the vulnerable version of Apache Struts2, a very popular open source project that is used in web apps.

LW: What’s the most important thing company decision makers understand about open source vulnerabilities?

Sass: The primary risk when it comes to open source components is from known vulnerabilities. Because the vulnerabilities are announced and listed online, hackers don’t have to go through the work of analyzing the components for weaknesses. They just need to ping companies’ systems and find one that hasn’t implemented the latest patch to find their next victim.

Furthermore, you can’t remediate if you don’t know what you have. Most developers will seek out an open source component, add it to their product, and forget about it without properly adding it to their inventory. While this is a problem on many levels, one of the biggest issues is that developers won’t know that they are using vulnerable components when they are announced, so they won’t know to go in and make the patches. This means that most organizations that aren’t using the right tools are vulnerable, and they don’t even know it.

LW: What should we expect from malicious hackers through 2018?

Sass: One of the most interesting developments thus far this year has been the release of Autosploit by the security researcher/hacker VectorSEC at the tail end of January. He essentially took the searching power of Shodan and the exploit capabilities of Metasploit, and made an all-in-one, fully automated “search and exploit” tool that takes all of the work out of hacking.

This makes it easy for anyone, even those without any serious hacking skills, to break into unpatched systems. It also tips the balance, allowing hackers to punch above their weight, targeting massive lists of companies based on whether they are using general open source projects.

This means that companies don’t have to be specifically targeted in order to be at risk. Anonymity is no longer a good defense. There are automated systems, such as the one we offer, that can make mitigating open source exposures easier and scalable. As the attackers automate hacking processes, companies are going to need to do the same.

LW: As a company decision maker, how do I begin to deal with my open source risk?

Sass: There are solutions that give you full visibility over all of the open source components in your environment, tells you which ones are vulnerable, and gives you the power to set policies organization-wide to keep your products safe and compliant.

The first step though is to understand that you are already using open source in your apps, and that even as they have the power to make your development more efficient and speedy, their security risks are something that you have to manage before you are breached.

(Editor’s note: Last Watchdog has supplied consulting services to WhiteSource.)

 



This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog