DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Popular
  3. Open Source
  4. 8 More Struts Breaches

8 More Struts Breaches

Shockingly (or perhaps not-so-shockingly), organizations are still downloading vulnerable open source components. Let's see where they're going wrong with Struts.

Derek Weeks user avatar by
Derek Weeks
·
May. 14, 18 · News
Like (2)
Save
Tweet
Share
4.03K Views

Join the DZone community and get the full member experience.

Join For Free

Just recently, Robert Hackett at Fortune published an eye-opening report on the number of organizations who continue to download known vulnerable open source components. His focus for the article was specifically on the Struts web application framework. Why?

We've Seen This Before

When using vulnerable versions of the framework, organizations are breached. Everyone knows the Equifax story, but for folks like me who have been paying closer attention, the story also includes the Canadian Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR, Apple, University of Delaware, and the GMO Payment Gateway.

In our 2018 DevSecOps Community Survey of 2,076 IT professionals, 30% of respondents claimed that they had or suspected a breach due to the use of vulnerable open source components. This figure was up 55% since we asked the same question last year. In many ways, this figure is not surprising.

Use Protection

The same survey revealed how many organizations were governing their use of open source components. For organizations without DevOps practices, 58% had an open source policy in place — meaning 42% had no policy. Furthermore, at 46% of the organizations with a policy, developers ignored the rules. This means, only 1 in 4 organizations had a policy that was followed.

Image title

Tracking Matters

Shortly after the story broke at Fortune, @misfir3 asked me how organizations would know what open source components they were downloading and more importantly deploying into production. He specifically wanted to know about the known vulnerable components.

The monthly vulnerable download statistics tied to Struts are daunting. The sheer volume of consumption ranges between 80,000 - 100,000 downloads across thousands of organizations. As you can see from the chart below, downloads of vulnerable versions are -- for the most part -- indiscriminate.

Image title

Understanding which components you are using is relatively easy to determine when creating a software bill of materials. An SBOM is simply a manifest that lists all of the components in a build artifact or deployed application. Any organization creating an SBOM can then use it to assess known vulnerabilities in the components; assessments can be manual, but to scale the processes I would highly recommend an automated approach. Manual reviews of open source components in a single application could take 400 hours, but automated reviews can be completed in as few as 10 seconds.

Image title

Our 2018 DevSecOps Community survey revealed that only 38% of organizations produce a complete software bill of materials. This is disheartening. When thousands of new open source vulnerabilities were announced last year alone, how could a firm determine their impact if no track and trace mechanisms were in place? If you can't track it, you can't fix it.

For those of you interested in reading Robert Hackett's article, you can find it in Fortune here.

All Day DevOps 2018

All Day DevOps 2018 is just around the corner! Registration is available here.

The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With 5 separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, & Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.

And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.

Hope to see you online at the show!

Open source

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Unleashing the Power of JavaScript Modules: A Beginner’s Guide
  • Using QuestDB to Collect Infrastructure Metrics
  • Public Cloud-to-Cloud Repatriation Trend
  • Spring Boot Docker Best Practices

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: