The Equifax breach once again highlights how Application Vulnerabilities remain the achilles heel for organisations. Hackers exploited a two-month-old flaw in Equifax’s web systems to steal 143 million customer’s private data.

Analysis of the major breaches from 2012  will show that Application-level vulnerabilities have caused far more data breaches in recent years than any other vector.

The Equifax breach was as a result of an application security issue where a known security flaw in the open-source Apache Struts framework for Java apps was exploited.

What is clearly evident to all security professionals is that this particular application vulnerability was something that Equifax should certainly have known about and have been protected against. When people say “Struts is hard to patch” remember that Equifax made a business decision to use Struts. They then didn’t keep it updated.

The dangers posed by vulnerable web applications are well understood. The Open Web Application Security Project’s (OWASP’s) provide a list of top web application security vulnerabilities. The same issues have arisen for the past several years meaning that people have had enough time to address them.

Yet, as breaches like the one at Equifax have kept highlighting over the years, clearly many are not paying heed.

Smarttech247