One Point the Equifax Breach Drives Home - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
News
9/18/2017
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

One Point the Equifax Breach Drives Home

Equifax blamed its recent high-profile breach on the Apache Struts Web Framework. As software delivery cycles shrink, developers have to rely on more third-party components, libraries and frameworks. When they do, what are their liabilities and responsibilities?

Today's developers use more third-party and open-source components, libraries and frameworks than ever to deliver and update products in ever-shrinking delivery cycles. In the race to get to market, it's easy to overlook or ignore details that can lead to a security breach.

For example, Equifax blamed its recent security breach on an Apache Struts vulnerability (CVE-2017-9805) and later admitted it failed to install a patch. That patch had been available for six months, according to The Apache Foundation.

"The Equifax hack is so interesting, mostly because their response to the hack has been so poor. Blaming a hack on any sort of software issue – open source or proprietary – is simply part of their inadequate response. It’s a 'the dog ate my paper' excuse," said James Stanger, chief technology evangelist at CompTIA. "That’s not much of an explanation, especially considering that Equifax disclosed this problem on September 7 after knowing about it since July 29. "

What if the software you built was compromised and you discovered that the root cause was a third-party building block you used? You didn't build that piece of software, after all, so perhaps that party should be liable for any damages that piece of software caused.

James Stanger, CompTIA
James Stanger, CompTIA

Practically speaking, good luck with that argument.

Little or No Third-Party Liability

If you're using third-party building blocks in your software, which you likely are, the buck stops with you. Sure, someone else's code may have caused a catastrophic failure, but did you read the fine print in the license agreement?  Third-party developers have several ways of dealing with the matter contractually.

"There may be disclaimers, especially in the open source community, that say, 'This component is [provided] as-is' and you as the licensee are responsible for its testing and usage in another system," said Roy Hadley, Jr., co-chair of the Privacy & Cybersecurity team at law firm Thompson Hine "If you choose to use it in a nuclear facility or the space shuttle, that's on you." 

Roy Hadley,Thompson Hine
Roy Hadley,Thompson Hine

Those who use third-party software in their products are ultimately responsible because the provider can't foresee how its software will be used or configured by others. So, the licensor protects itself using an "as-is" clause or a limitation of liability. Alternatively, the licensor may require indemnity from the licensee, which means if you use third-party software, something goes wrong and the provider of the component you use gets sued, you're liable.

What Software Developers Should Do

Test, test, test. Ideally, developers should take the time to understand every piece of third-party software they're using to make sure it does what it's supposed to do and that it's been tested for security vulnerabilities. They should also have a mechanism to ensure that the associated updates and patches are up-to-date.

Jason Wacha, WS Law Offices
Jason Wacha, WS Law Offices

"I think you have an absolute responsibility to make sure that third-party components work, work together and work the way they're supposed to," said Jason Wacha, an attorney and founder of  WS Law Offices which specializes in software licensing. "One of the things about the open source community is you hear [about a software vulnerability], they announce it and everybody jumps on it and tries to fix it. Certainly this was true for the Struts project. One of the things about proprietary software is if someone discovers a vulnerability, it's not going to get out there and people aren't going to talk about it."

The obvious constraint is time. There just isn't enough time to test everything.

"The issues we keep confronting or not confronting in the IT industry are ignoring or omitting key steps of the Software Development Lifecycle (SDLC) and then mismanaging how that resulting software is deployed," said CompTIA's Stanger. "One of the primary reasons why software issues get missed by the good guys and exploited by the bad guys is because companies, individuals and groups that develop software tend to rush software to market."

There are also challenges with the way software is configured and deployed.

"Many IT pros and even security pros still tend to think, 'If I obtain the code from a secure source and run the hash tag, I’ll be fine. I’ll just update the code as necessary.' Plus, relatively few companies actually test the software properly in a production environment by “throwing rocks” at the code and doing proper threat hunting," said CompTIA's Stanger. "Fewer still are able to update software adequately, because updates often break custom code. Imagine how security issues can propagate when you combine installed and cloud solutions."

While developers should verify that the third-party software they use has been adequately tested by whomever built it, they need to retest it in the context of their own product.

Rob Rosenzweig, Risk Strategies Co.
Rob Rosenzweig, Risk Strategies Co.

“The reality of the current world we live in is that any business must undertake extreme caution and implement a thorough due diligence process when vetting any vendor that impacts their supply chain or is processing or storing any information on its behalf," said Rob Rosenzweig, vice president and national cyber practice leader for insurance brokerage Risk Strategies Company. "While there is significant upside to the utilization of outsourced vendors in managing expense, obtaining a higher level of security and realizing operational efficiencies; the flipside is that organizations lose control and still retain all of the risk."

Lesson Learned

The Equifax breach underscores the need for vigilance because hackers are constantly experimenting to find and exploit vulnerabilities, particularly when sensitive information is involved. When a vulnerability is found, it needs to be addressed in a timely fashion, unlike the Equifax breach. Due to the confluence of events, the Federal Trade Commission (FTC) is now investigating Equifax.

As is evident, the failure to implement one patch can have devastating consequences.

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
Commentary
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
Commentary
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
White Papers
Register for InformationWeek Newsletters
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll