Equifax breach and the issues with patching..

Picture courtesy of USA Today

Picture courtesy of USA Today

Fingers have been pointing to Equifax’s lackadaisical attitude towards security hygiene in their recent cyberbreach faux pus.

But are security fixes simple, easy and straight forward to patch?

A quick rundown; Equifax’s IT team was aware of the vulnerability to their Apache web server and actually downloaded the security plugin two months before the attack occurred.  But they didn’t install it!  Many then asked the question why Equifax didn’t proceed to roll the patch out?  

It is akin to buying a padlock for the front gate of a house, but left the padlock in the car for months before the house got burglarised.

In the open-source world of web server software, there are also step-by-step instructions provided for web masters and IT administrators to patch up security holes.

A report by USA Today tried to justify that efforts to roll out patches are not as straightforward as many might think.

‘The process of patching the flaw isn’t as simple as just downloading a new version of Java. It requires searching the company’s entire portfolio of applications to look for known and newly reported vulnerabilities, then updating to the latest version of those applications. It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.’

 

Open-source web server applications (app) such as Apache, are free and quite naturally, captures a large percentage of the global market share.  But could such freely distributed app be precisely the reason why it can be tedious to work on when upgrades are available?

This brings me to wonder, for as long as I can remember, many have argued the merits of open-source against proprietary systems, largely from the financial angle. 

In the context of web server software, a clear distinction between Linux-based and Microsoft’s Internet Information Services (IIS), has been in the battlefield for web hosting supremacy.

If the remarks made by an anonymous IT professional to USA Today holds true, would there be a difference then, that proprietary web server hosting software has the advantage when security fixes are concerned?

Some IT professionals I spoke with shared that though Linux-based software is free from a license-charging perspective, it is not exactly free as support cost is levied upon, as an option.

But wouldn’t this business and operating model be the key difference?

 

  • Proprietary software is charged with a licensing framework and thus, comes with support which might provide more comprehensive coverage to its software vulnerabilities.  And it might be less tedious when patches need to be rolled out

 

  • Licensed-free software might be less comprehensive when it comes to its hotfixes and vulnerabilities.  And free software might add to the ‘tediousness’ for IT administrators to manage and maintain.  Even when support cost applies, the integration with other applications working with the base software requires more work

 

What do you think?

Picture courtesy of www.wired.com

Picture courtesy of www.wired.com

 

 

Gary Tan