Vulnerabilities / Threats

6/6/2018
10:30 AM
Kevin E. Greene
Kevin E. Greene
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

'Strutting' Past the Equifax Breach: Lessons Learned

In hindsight, there were two likely causes for last year's massive breach: the decision to use Apache Struts, and a failure to patch in a timely fashion. Both are still a recipe for disaster.

The industry is still feeling the lingering effects of the Equifax breach, and, according to Sonatype, some things still haven't changed. I recently came across a Fortune article that takes a retrospective look at the Equifax breach and examines Sonatype research data on the vulnerable Apache Struts component that caused the breach. The research data used to analyze the usage and consumption of the vulnerable Apache Struts component suggest that people in organizations are still downloading it and could possibly be using the vulnerable component in production systems.

For an example, the article points out that as many as 10,801 organizations — including 57% of the Fortune Global 100 — have downloaded "known-to-be" vulnerable versions of Apache Struts. It further points out that as many as 3,049 organizations have downloaded the exact same vulnerabilities that hackers exploited to break into Equifax — that is, the same holes contained in Struts version 2.2.3 to 2.2.3.1 and 2.5 to 2.5.10 (CVE-2017-5638).

Over the last year or so, my views about vulnerable components have changed, and they've been strongly influenced by the growing reliance and consumption of open source software (OSS) in modern software development. The Apache Struts consumption rate cited in the Fortune article is part of a growing realization to me that developers may have taken the position (or have surrendered to the idea) that all software is vulnerable (or at least the most popular and frequently used OSS components) and have "known" vulnerabilities. I refuse to believe that developers are that careless, reckless, and have zero regard for the potential risks in using insecure software. When time is of the essence, people tend to sacrifice optimal for suboptimal, especially when choices and selections are slim. Organizations are in a dash to beat their competitors to market with new features and functionality for competitive advantage, which often means they take shortcuts to get there.

As a dad with two boys that play sports that involve travel, we are always on the road going from one game or tournament to another, and we tend to eat more fast food during the travel seasons. At times, I feel like I'm sacrificing good eating habits because my choices are slim, and often we are pressed for time. There are other options like packing my own lunch … or for developers, building your own software components. Jim Routh, chief security officer at Aetna indicated on my podcast that based on Build Security-In Maturity Model (BSIMM) research data, the mentality of many companies on the West Coast is to build their own software (they are the supply chain) rather than buy it. I'm sure there is some OSS consumption, but the point is that there is less reliance on third party suppliers, which may ultimately help reduce risks and improve software security.

Mission Impossible: Vulnerability-Free Software
Let's assume that developers don't subscribe to my theory. In that case, I still don't believe that software can be "free" from vulnerabilities. Today's software is too complex, organizations are taking far too many shortcuts to get to market faster, there is a lack of core fundamentals of software engineering being taught in academia, tools that are designed to find weaknesses and vulnerabilities in software don't perform well, developers don't understand the consequences of their coding practices and refactoring activities on software design ... the list goes on and on. All these things become detrimental to the hygiene of software. However, that doesn't mean we should give up ... or not exercise proper due care and due diligence when scouring the software supply chain looking for software components to consume for software development projects. It simply means that we need to adjust our expectations and approaches to software supply chain risks and modern software development, especially as the adoption of DevOps increases. 

So, what does all that have to do with the Equifax breach? The Equifax breach, in my opinion, dispels the notion that "speed" is the new security. The notion behind speed with respect to security is based on the concept that the environment is constantly changing, and that change can be effective in disrupting potential adversarial activity. Ideally, that's a great posture to be in for better cyber resiliency, but I don't think we are there yet or even have figured out how to incorporate that level of resiliency into continuous integration and delivery of software. A recent study from the DevOps Report concludes that only 27% of organizations surveyed have adopted DevOps practices.

People resist change. Consequently, people become the Achilles' heel in the software engineering process. Patching, for example, is one of those hygiene activities that is essential to preventing security breaches. Still, many organizations struggle to patch timely and consistently even in a DevOps environment for fear of the "unknown." Part of the unknown and resistance to change is rooted in the accumulation of technical debt that can grow to the point it become very expensive to pay it down. At some point, owing too much technical debt will impede an organization from doing essential things (like patching). But also, things like vulnerability coordination and disclosure across different suppliers and with key stakeholders can be challenging and time consuming. As a result, the window of exposure widens, and a breach is likely to happen.

All software has known and unknown attack surface areas (minus the zero day vulnerabilities) that are exploitable. The "known" attack surface areas are typically associated with things you can find in the National Vulnerability Database (NVD), and the "unknown" attack surface areas are typically associated with software weaknesses (also known as Common Weakness Enumerations — CWE) that could expose vulnerabilities in software. I tend to think of it as attack proneness and defect proneness. In modern software development, vulnerable software has a lot to do with what Brian Knapp, a software developer calls "software gravity. " He defines software gravity as the force that pulls features, complexity, and resources toward a software system over time.

The Equifax breach reminds me of the importance of making good design decisions, especially as it relates to component hygiene. Poor design decisions increase complexity and make it difficult to patch, and also introduce considerable amounts of technical debt. As indicated in the referenced Fortune article, third-party software like Apache Struts can be challenging to maintain and patch for several reasons: Struts libraries are bundled with disparate Web applications; fixing the issues requires, among other things, knowing which applications use the components (vulnerability prevalence); updating so-called build scripts so they fetch the latest versions of the software; and rebuilding the application and running quality assurance tests to make sure the mended application work as intended.

I would argue that the decision to use Apache Struts had just as much to do with the breach as failing to patch in a timely fashion. But both of these forces together are a recipe for disaster.

Author's Note: My affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed in this column.

Related Content:

Kevin Greene is a thought leader in the area of software security assurance. He currently serves on the advisory board for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center, and Bowie State University's Computer Science department. Kevin has been very ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.