What is in common between Target, Home Depot, and Equifax security breaches? They seem to be different, Black POS was a root cause for the former two and Apache Struts2 vulnerability CVE-2017-5638 was a reason for the latter. In essence, they are both attributed to 3rd party vulnerabilities: Target and Home Depot use POS that they didn’t create, Equifax relies on Apache Struts2 that they didn’t build either.
The way how contemporary software systems are build has changed for the last two decades significantly. I still remember overheated discussions when business and IT were arguing vigorously about possibility of using open source software in a “serious” financial organization, and the answer at that time was rather “no” than “yes”.
These days, it’s not even a question. Even “serious” companies can’t afford building their systems from scratch anymore. If they try to do it, they would simply lose competition to their peers. The change was so dramatic that up to 80% of a contemporary system can comprise of 3rd party components.
The problem here is that even though adopting those components could be easy and free, definitely easier and cheaper than developing the same from scratch, the security of the adopted component was never free. This simple truth is not always understood well. Probably it’s just a mentality issue: we usually care more about the stuff that we’ve created than about the stuff that we’ve got for free or almost for free somewhere. Probably it’s about not understanding the risks that are coming from the adopted components, I don’t know.
My thought and a call to security professionals are simple: if you have 80% of 3rd party components in your system, you should probably dedicate more than 10% of your time and resources to the security of those components. As for now, the reality is different. You can participate in this poll to provide your feedback and to see how the resource allocation looks like in other organizations.