Here we go again. Another , of trust, and more concretely, of a mission-critical application that manages sensitive data. Attorneys general, Congress, the FBI, the Associated Press, the intergalactic cyber task force, and everyone else are now investigating what went wrong at Equifax. Almost certainly, the board of every company that deals with sensitive data held their emergency meeting last week to get a sense of their own security posture and issue an urgent action plan to find and remediate any security gaps that may bear a resemblance to this exploit.
Many boards these days have a member who is a cyber expert. Most cyber experts are former CISOs, and most CISOs are former network security specialists. That’s because investment in network and perimeter security has outstripped application security by a factor of 23:1 taken cumulatively from the inception of the cybersecurity profession. Boards and many CISOs don’t understand software design, architecture, or construction. It’s a black box that should be tested, patched and monitored. Managing the composition and construction of software remains a job for developers and vendors.
It’s common pablum these days to say that software powers everything we do. But do the majority of us really understand what that means? Very few in IT organizations have a software risk scorecard, and most board members don’t even know to ask for one. We here at CAST have been tilting at this particular windmill for the better part of 10 years now. Mostly falling on deaf ears. “We just hire good developers to make sure we have good, secure code.” Or, “we hired XYZ vendor because they have a strong SDLC process.” Or, my all-time favorite these days, “we have an automated unit test environment in our DevOps toolchain.” Uh-huh. But, do you know if this application uses Struts? And does it use the Struts framework correctly?
For all you non-techies out there, it’s still important to understand what Struts is. It’s a framework that developers commonly use for web applications so they don’t have to rebuild or rewrite code from scratch every time. It’s one of the approximately 130 that are commonly used by developers around the world, and there’s a long tail of hundreds of other framework varietals out there. That doesn’t account for the fact that Struts has about 10 versions in wide use, and most other frameworks have multiple versions as well. So, for example, in the case of Equifax, the vulnerability was CVE-2017-9805, which occurred in Struts 2.3.x and 2.5.x. Yet, Struts 1.2 through 1.3.10 do not have that vulnerability.
for security, reliability, performance efficiency, and maintainability, which are based on the well-defined canon of commonly known weaknesses and vulnerabilities (CWEs and CVEs). Something that covers construction and composition. Something that fills that blind spot that almost all boards, business executives, and IT managers have: understanding the level of security risk within the software that powers their company.
Until your organization has a software risk scorecard, it would certainly be smart to do a software portfolio risk audit. Quickly scan your software portfolio, find out your exposure to known vulnerabilities from open source frameworks and your structural risk hot spots, and get cracking to fix the most egregious problems in your most critical systems.