Apache Struts2 exploitation: Beyond putting out fires!

The unfolding of the Equifax breach shows that the attack started around two months after the vulnerability was disclosed – and the patch was made available – by the Apache Foundation. That means the vulnerability could have been eliminated with a patch long before the attack.

The case exposes a persistent challenge IT and Dev pros face: it takes much longer to mitigate vulnerabilities than it takes hackers to start exploiting them. This is not an isolated example. Just remember the consequences of the WannaCry attacks back in May – and Heartbleed, Shellshock etc., etc., etc.…

At the heat of the WannaCry attacks, I asked: Are we having the right discussion? And I ask today again:

Are we having the right discussion?

Many are probably just putting out fires now, trying to find and fix any vulnerable instances of Apache Struts2. But the fact is, it is becoming increasingly urgent that we move beyond dealing with the consequences of the exploitation of non-mitigated vulnerabilities, to discussing how we can ensure that operational processes include security policies and practices. This is the only way to avoid the incredibly large amount of unpatched software with known vulnerabilities we leave out there for hackers to exploit.


Because the number of incidents exploiting known vulnerabilities we see reported all the time proves that it is not enough that we rely on all the next-gen, bullet-proof cyber-kryptonite out there as a defense, when we do not work to reduce the number of cracks and holes hackers can use to break into our systems.

Relying solely on attack detection technologies – no matter how sophisticated – is the same as not buying a lock for your doors expecting that your alarm system will protect your house from an invasion.

It’s a matter of thinking of risk reduction. Binary thinking does not apply here. The fact that we cannot mitigate it all does not mean we should not mitigate at all. It a matter of strategy and tactics.

It is possible to make sound improvements by using the right set of Software Vulnerability Management tools to support efforts to reduce the window of opportunity for hackers.

Join us on October 5 for a webinar to discuss how to reduce the risk window for hackers and avoid the costly consequences of a successful breach.