Should You Replace Apache Struts? Maybe. Or, Maybe Not.

Should You Replace Apache Struts? Maybe. Or, Maybe Not.

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution disclosures this year, and that’s quite a lot.

The easy answer to the question is “it depends.” Sorry folks, but I couldn’t resist going back to my consulting days with that one — but it’s true. What I want to do with this blog post is highlight some of the factors that should be part of your analysis  and they’re all positive items.

  1. Apache Struts is a mainstream web framework. From a security perspective this is a double edged sword. On the consumption side of the equation, this means that you’re not alone. The Apache community is strong and vibrant and you can openly seek solutions to help you run a more secure application. Translation? You’ve got access to lots of brain power to help you resolve problems. If your day job includes contributing to Struts (and if you’re using it you should be contributing in some fashion), then this breadth of usage makes for a lot of people wanting you to “fix things.” Translation? Focus on being responsive and keep them happy.
  2. Apache Struts, like most Apache Software Foundation projects, has a responsive security team. If you’re betting the success of your business (or your employer’s business) on an open source project, this is a critical item to consider. Projects with security response processes will have CVE disclosures, and will operate using responsible security disclosure policies. Projects without well-defined security response processes are far more likely to have no CVEs reported. This isn’t because the project code is defect free, but because the CVE process expects to work with a security team. Minimally, if there is no security response process, then you’re going to need to be actively engaged with the project community in order to learn of security issues.
  3. Apache Struts is under active development, and currently maintaining multiple versions. The health of the developer community should always be a key consideration when adopting a project. For frameworks like Struts, this is doubly important as an individual developer is unlikely to have expertise across the breadth of the framework. When you add in the demands of security updates, an active development community also translates to a community that is responsive to security issues.

While Struts is currently under increased scrutiny due to the visibility of the Equifax breach and recent vulnerability announcements, project stats for Apache Struts, publicly available on Black Duck Open Hub, show that new versions have had relatively few vulnerabilities reported against them.

Project Stats for Apache Struts

The Black Duck KnowledgeBase™ tracks open source project activity occurring on over 10,000 sites for projects of widely varying size, maturity and sophistication. Apache maintains a strong and active community, and their development and testing practices are as good as or better than many commercial software development teams. In both cases, flaws, including security vulnerabilities, can and do make their way into the code and may only be discovered years later. Consider this post from René Gielen on the role of Struts in the Equifax data breach. In it he not only provides some clear recommendations for proper application hygiene, but also directly addresses a question I hear quite regularly “if the vuln is so old, why is it only being fixed now?” In the post, René states:

One has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years.... What we saw here is common software engineering business --people write code for achieving a desired function, but may not be aware of undesired side-effects.”

So, in the face of multiple potential remote code execution disclosures in a single week, how do you keep pace?

The easy answer is you need to have both a clear view of which applications are using Struts, and a way to proactively monitor for new security disclosures. If that system can also point you to public exploit code you can use to validate if your defenses are working properly, so much the better.

In the end, only you can decide if you are comfortable using Apache Struts, but it’s important to remember that all software, be it open source or proprietary, will have security issues. If you’re dependent upon any third party components or software, you need to be proactively monitoring for new security issues regardless of where they’re reported. Black Duck Hub can help with that, and together we can minimize the work required to build and maintain secure applications and containers.

8 Takeaways from NIST’s Application Container Security Guide

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Achieving Open Source Security in Container Environments

| Mar 5, 2018

Today, open source components are at the heart of most modern applications, transforming how we architect solutions in every industry. Black Duck’s 2017 Open Source Security and Risk Analysis of over 1000 commercial applications revealed that 96% of applications scanned utilized open source.

| MORE >

Why You Need to Build AppSec into Your DevOps Process

| Feb 26, 2018

Application development thrives on the use of open source components. Why? Quite simply, there are many benefits to using open source components, including the ability to leverage skill sets and expertise of the open source community, take advantage of the efforts of larger development teams, and

| MORE >

8 Takeaways from NIST’s Application Container Security Guide

| Dec 13, 2017

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery has

| MORE >