CIO – Arik Hesseldahl – 12/22/17
One recent and particularly egregious example: Apache Struts an open source framework for creating Java web applications. Many companies use it to build parts of their online storefronts. Among the many companies using it was the credit reporting firm Equifax, and you know how that turned out: attackers exploiting a vulnerability in Struts made off with data on some 150 million consumers.
The example of the Struts vulnerability prompted me to call another expert on this: Chris Wysopal is the CTO and co-founder of Veracode, a united of CA Technologies which operates a cloud-based service that scans software code for vulnerabilities.
The security industry is only now coming to grips with the scale for potential widespread problems, Wysopal says. Long before the Equifax breach made headlines, Veracode estimated in a report that the Struts vulnerability exposed as many as 35 million sites to remote code execution attacks.
“Open source is so popular and pervasive now that vulnerabilities are emerging as different class of threat,” he says. “When you find a vulnerability in an open source components, you’re likely to find it in all the applications that use that component.”