When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.
In the year since, thousands of companies have continued to introduce the same security holes into their computer networks. As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts, the popular, open source software package that attackers targeted to loot Equifax, from March 2017 through February 2018, according to data from Sonatype, a Goldman Sachs-backed cybersecurity startup that tracks code pulled by software developers.
The Apache Software Foundation released patched versions of the software employed by Equifax on March 7, 2017 as well as six other subsequent times throughout the year. But despite the availability of repaired code, businesses continue to download broken copies of Struts—a pervasive, app-building framework that helps power the transactional backends of many businesses—that are potentially susceptible to remote code execution, enabling an attacker to hijack a computer system from afar.
Sonatype did not identify specific companies that had downloaded flawed software. But of that set of 10,801 Struts-embrittled organizations, seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers, and 15 were Fortune Global 100 financial services or insurance firms, Sonatype researchers told Fortune.
A catastrophic hack didn’t change habits
Troublingly, the fallout from Equifax has not seemed to dissuade corporations from pulling unsafe code into their networks. As many as 8,780 organizations have continued to download known, vulnerable versions of the Struts software since Equifax’s breach disclosure on September 7, 2017, per Sonatype’s data. In other words, only about 1 in 5 businesses learned from Equifax’s debacle and stopped downloading faulty components once the heist of the credit bureau became publicly known.
The extent to which the corporate world has disregarded Equifax’s breach is startling. As many as 3,049 organizations have downloaded the exact same vulnerabilities that hackers exploited to break into Equifax—that is, the same holes contained in Struts versions 2.2.3 to 18.104.22.168 and 2.5 to 2.5.10, referenced in the U.S. government’s national vulnerability database under CVE-2017-5638, for the technically savvy—since the credit bureau’s breach disclosure, Sonatype researchers said.
To use an analogy, this is like completely ignoring an airbag recall and hoping not to get paralyzed in a collision—except worse because, in this scenario, malicious entities are actively trying to total other vehicles, including, potentially, yours.
“Downloading vulnerable versions of Struts is a symptom of a broader hygiene issue,” says Wayne Jackson, Sonatype’s CEO. “The problem is that these organizations don’t care enough to exert control, or don’t have infrastructure in place to know what’s being used.”
Sonatype was able to collect the data it shared with Fortune, Jackson explains, because it maintains a code repository, Maven Central, relied upon by many software developers as they build applications. When requests for code components come in, Sonatype is able to conduct reverse lookups on the requesters’ IP addresses, and thereby determine from which organizations they originated.
The failure to patch outdated software goes extends far beyond Struts. “We’ve probably got 10 million components that have defect associations,” Jackson says, referring to the output of other open source programming projects. “It’s not a problem that’s unique to Struts.” But Struts, he adds, is “a household name that should have gotten enough attention for people to change their behaviors.”
“Just because you create patches doesn’t mean customers will apply them,” says Joshua Corman, chief security officer at PTC, a Boston-based software shop, and cofounder of I Am the Cavalry, a grassroots organization focused on cybersecurity advocacy. “It takes a long time to fix this stuff at scale, but I’m worried they’re not trying rather than just being slow.”
Why companies don’t patch
Updating Struts tends to present a greater challenge for companies than applying other software fixes, such as simple Microsoft Windows updates. Because Struts libraries are often bundled with disparate web applications, fixing the issue requires, among other things: knowing which applications use these components; updating so-called build scripts so they fetch the latest versions of the software; rebuilding the applications; and running quality assurance tests to make sure the mended applications work as intended.
It’s not nearly as straightforward as download and reboot. And yet the problem demands swift remediation.
“You can’t sit around and say, well, it takes six months so we’re doing the best we can,” says Corman, who formerly served as chief technology officer of Sonatype until he left in March 2016. “The mean time to exploit is days.”
To be sure, it is possible that developers—and their automated, code-pulling software development scripts—are downloading faulty versions of Struts, yet not using them in any final product. It’s also possible that programmers are fixing the code themselves before deploying applications. It’s even possible that some organizations are relying on other security tools, like web application firewalls, to filter out possible attacks aimed at the flawed software.
Occam’s Razor suggests, however, that most organizations are simply failing to adhere to the most basic tenets of IT hygiene: Patch—promptly.
“I would expect, especially given the rage around Equifax, people would be finding ways to increase response time to remediate bugs in projects they rely upon,” Corman says.
Given Sonatype’s findings, apparently that’s not the case.