If you think your company is immune to cyber attacks, think again. By some estimates, nearly half of all websites have, at this very moment, a critical security vulnerability and nine out of ten have at least a moderate security vulnerability.1

No One Is Safe

Even the largest and most sophisticated sites are not fully secure. It’s estimated that of the 500 busiest websites one third are not secure including sites like ESPN.com, BBC.com, Wikia.com, MyShopify.com, Chegg.com, and NBA.com1.

Within the last year, some of the largest companies in the world have experienced breaches exposing sensitive data and affecting millions of customers including Facebook (540 million users), Marriot (500 million users), and Fornite (200 million users) to name a very few. Equifax experienced a security breach exposing names, Social Security numbers, birth dates, and addresses of over 148 million U.S. and nearly 700,000 U.K. customers. The vulnerability was reported on to the NVD but not noticed by Equifax until after the breach.1

The impact of even one of these vulnerabilities on businesses and consumers can be devastating. It’s an epidemic of massive proportions and it just keeps getting worse. Companies big and small are being breached daily and most breaches, if discovered, are never reported.

Vulnerability Reports Skyrocket

A CVE (Common Vulnerability and Exposures) is a coded reference system – like the duodecimo system used by libraries but in this case its for security flaws. A huge database of past and current CVEs is managed in the National Vulnerability Database (NVD) funded by the U.S. Department of Homeland Security. The NVD contains over 120,000 reported vulnerabilities impacting over 200,000 different kinds of software configurations – both commercial and open source. It’s only April and already over 4,000 vulnerabilities have been reported this year!

Vulnerabilities are not only tracked for commercial but also open source software. For example, since the year 2000 there have been:

  • 246 vulnerabilities reported for Apache Tomcat
  • 34 for Apache ActiveMQ
  • 33 for Apache CXF
  • 143 for Apache TomEE

How many of these is your company aware of? How many of them have you patched?

Surviving the Frequency of CVEs

Unfortunately, trying to wade through the list of vulnerabilities and software configurations is like drinking from a firehose. In 2017, Tomitribe established a partnership with Sonatype to offer CVE notification and patching to customers using Tomcat, TomEE, and ActiveMQ. In our minds, the patch was the primary thing delivering business value.

We discovered two very interesting things. First, the frequency of vulnerabilities creates an endlessly moving target that most customers simply cannot address, which exposes them to significant business risk. Second, the nature of CVEs is not black and white, but many shades of gray.

There is a huge gap between the moment a CVE is discovered and when you are able to roll out a patch. In that gap is where half the battle is won. For Tomcat alone, there are 8-12 CVEs a year. They do not come out in one-month increments, timed perfectly with your planned monthly or bi-weekly release. They often come out the day after or the week after. This puts customers in a position where they have to evaluate, “do I wait or do I react now?”

In the last 2 years, we’ve sent 384 CVE notifications to customers through our support portal. In working with our customers we have noticed the dialog about these CVEs is where the real magic is happening. Their app knowledge combined with our server knowledge was what it took to answer the most critical questions: “is this CVE dangerous for you?”; “do you have time to react?”; “is there a workaround?”; and “should you raise all the alarms?.” For some customers, a level eight CVE is still zero because they don’t use the feature and settings that expose it. For others, a level two CVE might be a huge problem because they use the vulnerable feature or settings everywhere.

Without that internal conversation, you’re either the person always saying the sky is falling or you’re the one telling your VP or CTO, “we’re not affected” when exactly the opposite is true. In either case its not only your reputation that is at stake, but it’s also your company’s entire business and goodwill. Just ask the folks at Equifax.

Not a Technical Problem

As developers, we tend to ignore the human aspect in everything — “we should be able to deliver anything immediately.” Let’s draw an analogy. If you were a fire department and reacted to all fires as if they were the same size, would that be a responsible use of resources? If you responded to each incident with this level of idealism, could you get people seriously hurt?

Sure you should work to be as fast as possible, but CVEs don’t fix themselves while you sleep. If you have to get up, so do your co-workers. There will be conversations, decisions, and trade-offs and in the end, it will always be a human problem.

Constant education is the only way to help that problem.

The New Vulnerability Reports

Today, we are launching a new effort to communicate some of those vulnerabilities and their solutions to the general public with regular updates on our new CVE web page dedicated to TomEE, Tomcat, and ActiveMQ. To kick-off this new effort, we offer you a video explaining a vulnerability which allows hackers to take over your entire server with one simple HTTP POST.

Of course, we cannot create videos faster than hackers can attack you. To be truly protected we recommend companies get support subscriptions, where you’ll have Tomitribe continuously monitoring and working with you on new CVEs in Tomcat, TomEE or ActiveMQ. With the hundreds of new CVEs published each week, any other approach is dangerously unrealistic.

However, we do sincerely hope these videos raise awareness on a topic that is commonly ignored. In many ways, CVEs are the Global Warming of the Software industry: Increasing in frequency and severity, as we turn a blind eye to a crisis that puts us in harm’s way.

Help us educate the public. Help us get the word out.

1Hashedout, The SSL Store, 4/10/2019, “80 Eye-Opening Cyber Security Statistics for 2019

 

David Blevins

Prior to founding Tomitribe, David’s extensive experience creating meaningful relationships between business and Open Source includes 7 years at IBM rebranding Apache Geronimo as WebSphere CE, technical leadership in Gluecode (acquired by IBM), and a key role in Apple’s integration and distribution of OpenEJB in WebObjects.

Richard Monson-Haefel

Richard Monson-Haefel

Richard has more the 24 years of experience as a professional software developer and architect. He has written five books on enterprise Java including EJB, JMS, web services, and software architecture. He has served on the JCP executive committee and multiple expert groups, is the co-founder of OpenEJB and Apache Geronimo, was a Sr. Analyst for Burton Group (aka Gartner), and is a celebrated public speaker.
rmonson

Leave a Reply