The Equifax security breach has been big news lately. Understandably, there was much concern over a breach that involved sensitive information held by a credit bureau, involving millions of consumers.
One article in Quartz noted that the perpetrators of the breach may have exploited a security vulnerability in Apache Struts, an MVC framework for creating Java web applications with plugins to support REST, AJAX and JSON. The Quartz article mentioned several potential vulnerabilities cited in a William Baird & Co. report, and about one, commented that “the vulnerability announced on Sept. 4” had existed in Struts for many years.
The Apache Software Foundation responded publicly, and pointing that the problem was a so-called Zero Day vulnerability, or a vulnerability that may have existed for some time in a code base, but was not previously known to the developers. The ASF commented: “Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here — we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. ”
It may seem, after wide reporting of a few open source vulnerabilities such as Heartbleed, that open source is being publicly linked with security problems with increasing frequency. That might, in turn, seem to imply that open source is not secure. However, given that so much infrastructure software now is open source, and security breaches (or at least detecting them) are increasing in frequency, the reporting of open source security vulnerabilities is probably mostly confirmation bias. It isn’t as big news when a security breach happens due to proprietary software. And all reporting of breaches is to some degree imprecise forensic archeology; it may not always be clear in retrospect which vulnerabilities were actually exploited.
Infosec professionals would probably say that legacy software is always a potential security problem, whether it is open source or not. Tech security is, in part, a process of continual updating to keep ahead of the villains. But this new incident underscores, again, the need to ensure that widely used open source projects have the resources to stay ahead of security concerns.