Ever higher than before, the frequency and scale of cyber breaches continue to startle everyone. In this case, cyber thieves, via Equifax breach, made off with highly sensitive personal information including social security and credit card numbers of about 143 million users.
However, one interesting information has surfaced that Equifax knew about the breach much before it went public with the news. The vulnerability was known to exist since March 2017, the breach occurred mid-May through July 2017. The vulnerability is known to exists in a tool called Apache struts. Equifax used it to build an online dispute portal, the flaw allowed cyber criminals to take control of a website. By the end of July, the company confirmed that the breach had occurred and engaged a cyber security company to conduct a comprehensive forensic review of the situation.
Open source codes today can be found in about 90% of the software application, firmware and services. It is excellent to build cutting edge technologies; however, it is also a major challenge as these codes have plenty of vulnerabilities. The positive part is, that the open source community is quick to fix patches for any known vulnerability but there are plenty of other factors which can cause a damage.
It is usually difficult to track the vulnerabilities, but it can be done. The devil lies in the detail. Using the right tools can solve the problem.
Source code analyzers are not effective!
Static code analyzers and dynamic code analyzers are 2 types of source code analyzers. There are plenty of good ones available in the market. They have value at different point in the development process. Static code analyzers, are effective at finding common problems such as buffer overflows and SQL injection flaws, but these are only a fraction of security flaws.
Dynamic code analyzers actually execute in real or simulated environments, examining for unintended outcomes based on numerous input permutations. Unfortunately, they don’t come cheap with high setup cost and execution cost. Then there are also challenges to integrate them into an automated testing process.
Getting the vulnerability assessment to avoid breaches like Equifax
Scanning the entire system for vulnerability is crucial to the entire process. Scanning the Binary could have helped Equifax avoid the entire chaos and problem the company is facing at the moment.
Vulnerability assessment tests the application for known vulnerabilities as well as scanning at binary levels where problems can be detected and patched immediately.
Logix Infosecurity uses state of the art tools from F-secure radar to deliver deep vulnerability scans so that breaches like Equifax can be avoided.