While Equifax execs and its security team have been pilloried for its security deficiencies, the company's shortcomings are far from unique when it comes to out-of-date open-source libraries lurking in key business applications.
Following Equifax's disclosure in September, UK-based open-source vulnerability database operator Snyk scanned 1,000 open-source projects on GitHub and found 64 percent were still vulnerable to a severe remotely exploitable flaw, for which the Apache Foundation had provided patches in March. It was one of two flaws Equifax's attackers probably used to steal its database.
Snyk CEO and founder Guy Podjarny summed up the problem many developers face in securing open-source applications with lots of dependencies.
"When you use these open-source libraries, you're using crowd-sourced code and that has all sorts of security implications. It's like relying on Wikipedia for medical research. It's generally accurate and good, but not always good, and people don't track security risk," he told ZDNet.
The danger is heightened for known vulnerabilities. The recent WannaCry and NotPetya destructive malware outbreaks illustrated that many organizations allow publicly disclosed Windows flaws to linger in business-critical systems for months.
Microsoft released a patch for the infamous SMB flaw in March, yet WannaCry impacted over 300,000 PCs when it struck in June.
But at least major operating system vendors alert users and admins to the availability of updates. It's messier for applications that rely on dozens of shared libraries, many of which don't alert developers to a known problem.
Snyk's recent developer survey found that 16.3 percent don't update their dependencies and less than half used tools to alert them to known vulnerabilities.
The average Node.js application uses "hundreds sometimes thousands" of dependencies in its tree, while there are generally fewer in Ruby and Python, explains Podjarny.
"But frankly this is in pretty bad shape across the board."
Linux powers web servers, database systems, development machines, and employee workstations. This policy offers guidelines for securing Linux on company computers and computers used to conduct company business.