Ask not if our product uses Apache Struts, but...

When it was revealed that the massive Equifax breach in 2017 was attributed to their failure to patch a component in their system known as ‘Apache Struts’, everyone was reaching out to their development teams and asking: “Do we use Apache Struts? Is it patched?”

And I found it interesting. In my opinion, the wrong question was being asked.

What they should be asking us (and what we should be doing) is:

• Do we know what libraries our application is using?
• Do we have a process for checking if security vulnerabilities have been disclosed in the libraries we use?
• Are all the libraries we using currently supported?
• Are we using current, patched versions?

There has been an interesting news story recently about how a specific company was a target of a cyber-attack through a library it used. A malicious actor planted a back door in a library it was known to use - some good assessments of the incident have been posted on Ars Technica and Linux Weekly News.
https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/
https://lwn.net/Articles/773121/

Most development teams don’t have the capacity to audit the source code of all the libraries they use. Further, it would seem that in this instance, the malicious code would have passed a cursory review. At this point, our best defense is to be aware of this possibility when assessing a library, ensure that it has an active community and is well supported prior to incorporating it. Once a library has been incorporated, ensure we track its development for updates.