After a vulnerability in Apache Struts led to serious breaches at Equifax and laid the credit reporting agency low last fall, organizations should have scrambled to bolster security but Sonatype research shows that 57 percent of the Global Fortune 100 has yet to address the flaw in the popular open source software.
While Sonatype, a company that keeps tabs on the code developers use, did not name the Global Fortune 100 companies that were remiss, Fortune reported the list included seven tech firms, eight carmakers and 15 companies in financial services or insurance.
Equifax twice missed finding the Apache Struts vulnerability that exposed data on 147.9 million U.S. consumers and cost the company its top management as well as an estimated $242 million to date. In the aftermath, the FBI put out a flash alert warning people to patch the software.
But the Sonatype data shows that many companies didn't heed that warning - 8,780 have downloaded vulnerable Apache Struts software in the wake of the Equifax breach.
"Seven months should be enough time for organizations to install the necessary patches and it's unfortunate that so many still choose to download the older vulnerable versions. There is really no excuse for this,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, who noted that CVE-2017-5683”was fixed in the Apache Struts versions 2.5.13 in September 2017,” the same month that the Equifax breach came to light.
"In 2016, known vulnerabilities were the leading cause of data breaches, accounting for 44 percent of all such incidents,” he said. “I highly recommend that organizations apply critical security patches within one week of their release in order to reduce the known threat attack surface. Otherwise, it's the same as buying expensive locks for the doors to your home but keeping the windows wide open."
Dan Rheault, senior product marketing manager at Tufin, said that “the intentional introduction of vulnerable software indicates that organizations will favor ensured continuity in application and network connectivity over security.”
That “willing introduction” of flaws “must be coupled with proactive security best practices” so that “access to known vulnerable applications is minimized, unused access is eliminated.”