Equifax Reminds Us: Open Source Audits are Only a First Step

Equifax Reminds Us: Open Source Audits are Only a First Step

My blog, A Case for Continuous Open Source Management, lays out a number of reasons why an audit by itself isn’t enough. The Equifax disaster underscores the importance of post-audit vigilance, particularly with respect to security vulnerabilities.

Much has been written about the recent breach. Here’s a good overview. In a nutshell, germane to this discussion, the exploited vulnerability was in a popular open source component, Apache Struts, that was made public in March, prior to the Equifax attacks. A patch was made available along with the disclosure; Equifax just didn’t apply it.

Identifying and Managing Open Source

One can only speculate as to why, but it is the case that most companies can’t effectively identify let alone manage the open source components in their codebase. This is why companies perform audits, the purpose being to identify all of the open source in a code base and to highlight current risks. Given most companies don’t do this very well on their own, such audits have become an important tool in M&A transactions, giving the parties an understanding of potential problems that can be addressed in pre-close.

A Snapshot in Time

But an audit is a snapshot in time and security vulnerabilities are dynamic in nature. They may lay latent in code for years before being discovered (often by good actors, sometimes by bad). That’s why just knowing about the composition of a codebase isn’t enough. Let’s say a Private Equity firm had acquired Equifax in December and performed an audit as part of the acquisition. They would have been learned that Struts 2 was being used —probably among a hundred or more other open source components — but would not have been aware of CVE-2017-5638, the exploited vulnerability, which was not discovered and publicly disclosed until March.

Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638The audit is an important first step, but after identifying the components of a code base, those responsible for a codebase need to monitor for newly identified security vulnerabilities. Unlike with commercial code, no one is pushing patches at users. Someone needs to be paying attention. The fictional Equifax acquirer would have done well to put a monitoring process in place soon after close.

Daily Vulnerability Disclosures

Every day about ten new open source vulnerabilities are disclosed. The average code base contains about 150 open source components. So it can be non-trivial to stay on top of manually. Tools like the Black Duck Hub automate monitoring and track remediation. At minimum, a company needs a process to flag relevant new vulnerabilities.

Open source audits should be part of due diligence whenever software assets represent a significant part of the value of an acquired company. But Equifax reminds us that companies must remain vigilant post-close as well.

Request a Custom Code Audit

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Enhanced Legal Tab in Black Duck Audit Reports

| Mar 7, 2018

If you have reviewed any Black Duck audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable. The biggest change we

| MORE >

Black Duck by Synopsys: Being Part of Our Kind of Company

| Jan 10, 2018

In the wake of selling Black Duck to Synopsys, it’s really interesting work through all facets of integration. An energizing journey it is to learn a new company, something I have not experienced in nearly a decade. Soon after we announced, I explained to my dad some of my experiences interacting

| MORE >

How Do You Address the Complexity of Open Source in Tech Contracts

| Dec 18, 2017

The basis of open source risk lies in the fundamentals of how software is built these days. Many of the code bases Black Duck audited this year comprised more than half open source. Combine that with the fact that most companies don’t track or manage it very well, and you have a concerning basis

| MORE >