5 steps to reduce open source vulnerability risk
There are several steps organisations can take to help reduce the risk of attack similar to that at the US-based credit reporting agency Equifax last week, according to Ren'e Gielen, Vice President of the Apache Struts Project Management Committee at the Apache Software Foundation.
The breach, which resulted in sensitive, personal information of thousands of Americans and Canadians landing up in the hands of cyber criminals, was said to be the result of hackers exploiting a vulnerability in Apache Struts, a popular open-source framework for developing Web applications in the Java programming language.
However, Gielen said that the Equifax breach may, or may not, have been a result of the latest vulnerability in Apache Struts, designated CVE-2017-9805, which had been detected two days before the announcement of the Equifax incident.
"What we saw (at Equifax) is common software engineering business - people write code for achieving a desired function, but may not be aware of undesired side-effects," Gielen said.
"Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It's probably fair to say that we met this goal pretty well in case of CVE-2017-9805."
Gielen provided the following general advice to businesses and individuals utilising Apache Struts as well as any other open or closed source supporting library in their software products and services:
Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.
Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries have to be updated for security reasons. Do this within hours or a few days, not weeks or months. Most breaches are caused by failure to update software components that are known to be vulnerable for months or even years.
Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. This type of monitoring is good operations practice for business-critical Web-based services.
"Once followed, these recommendations help to prevent breaches such as that unfortunately experienced by Equifax," Gielen concluded.