CMSWire posed the question to our CEO “Is Open Source Software Inherently Insecure?”
Does their excuse (if real) have any merit?
Paul Kraus – “This response from Equifax is quite concerning — and shows a significant lack of software, let alone security diligence or process. To claim that open source is less secure than closed source, or that closed source is more secure than open source is unfounded, and honestly lazy.
Inferring that Equifax checks their software vendors for vulnerabilities and not the software their teams pull into their products, shows a clear deficiency in Equifax’s software lifecycle process.
Software has bugs — period. It is the responsibility of the user to understand the risks introduced by third-party libraries – regardless of where they originate. There have been numerous patches for Struts published, and I would lend a guess that Equifax’s patch management process either was ignorant that the patch applied to their usage, skipped the patch, had the patch in “testing” or had the patch in a queue for future releases. Given any of these scenarios – claiming it was not their responsibility, especially being the stewards of such sensitive data, [will possibly lead to] a much deeper investigation than Equifax’s self-disclosure.
Read the rest of his thoughts and others – CMSWIRE Equifax Breach