On September 8, 2017, Equifax revealed that they suffered a massive data breach, with approximately 143 million records compromised, including social security numbers, first and last names, birth dates, addresses, and more in some cases.
The unfortunate fact is that the breach was just one of many examples of incidents caused by software security practices and culture within large organizations that will take major work to fix.
There have been lots of opinions as to how the breach was caused by negligence. One of the most common criticisms is that Equifax failed to apply a three-month-old patch—or software update—from open source provider Apache. The logic goes that basic patch management practices should have caught this oversight.
The issue with this line of thinking is that basic patch management—which has existed for years—tends to apply to technology infrastructure, such as operating systems, server software, databases and networks. The software at issue in this breach was part of a software library (Struts 2) that isn’t within the scope of many network-centric patching processes. The danger posed by this blind spot in patch management was highlighted in recent years by well-known security incidents and vulnerabilities, most notably HeartBleed.
Read more here.