Equifax's Security Oversight
In 2017, Equifax suffered a massive data breach that exposed the personal information of 147 million people. The breach was due to an unpatched Apache Struts vulnerability (CVE-2017-5638) in their online dispute portal. Despite having dynamic application security testing (DAST) tools in place, Equifax failed to act on critical findings, allowing the vulnerability to remain unaddressed for months.
Attackers exploited a known flaw in Apache Struts 2, which had been publicly disclosed in March 2017. Proof-of-concept exploits were available almost immediately. The breach began in mid-May 2017 and went undetected until late July.
Timeline of Events
- March 7, 2017: Apache Software Foundation releases a security advisory for CVE-2017-5638.
- March 8, 2017: Proof-of-concept exploit code becomes publicly available.
- March 9, 2017: Department of Homeland Security issues alert US-CERT TA17-068A.
- Mid-May 2017: Initial compromise occurs through the vulnerable dispute portal.
- May-July 2017: Attackers maintain persistent access, exfiltrating data over 76 days.
- July 29, 2017: Equifax discovers suspicious network traffic.
- September 7, 2017: Public disclosure of the breach.
Failures in Security Controls
The Equifax breach highlights a failure in remediation, not detection. Your DAST tools can identify vulnerabilities, but without action, they are ineffective.
Vulnerability Management Process Breakdown: Equifax lacked a triage system to route DAST findings to remediation teams. Your team needs an automated workflow that creates a P0 ticket for critical vulnerabilities, assigns an owner, and escalates if not patched within 24 hours.
Asset Inventory Gap: Equifax did not maintain an accurate inventory of applications using Apache Struts. Without knowing your dependencies, you can't patch them. Your asset inventory must map every component and its version number.
Patch Verification Failure: Even after issuing patch directives, Equifax failed to verify deployment. Your DAST and SCA tools should run continuously post-remediation to confirm vulnerabilities are resolved. If a vulnerability persists, your ticketing system should auto-reopen with escalated priority.
Relevant Standards and Requirements
PCI DSS v4.0.1 Requirement 6.3.2 requires maintaining an inventory of software components to facilitate vulnerability management. Equifax violated this by not maintaining an accurate component inventory.
Requirement 6.3.3 mandates protecting system components from known vulnerabilities by installing applicable patches. The 76-day window between exploit availability and remediation clearly violates this requirement.
For organizations under SOC 2 Type II, Common Criteria CC6.1 requires restricting access to system resources to authorized users. Failing to patch a known vulnerability that allows remote code execution violates this control.
ISO 27001 Control 8.8 addresses managing technical vulnerabilities. Organizations must obtain timely information about vulnerabilities, evaluate exposure, and take appropriate measures. Equifax's inaction on a publicly disclosed vulnerability violates this control.
Actionable Steps for Your Team
Integrating SAST, SCA, and DAST is essential for a comprehensive application security strategy:
Unified Vulnerability Workflow: Consolidate findings from SAST, SCA, and DAST into a single platform. Set severity-based SLAs: critical findings (CVSS 9.0+) require remediation within 24 hours, high findings within 7 days. Escalate to leadership if deadlines slip.
Real-Time Component Inventory: Use SCA tools to scan every build and maintain a software bill of materials (SBOM). Flag components with known vulnerabilities and block builds introducing critical CVEs. Run SCA in your CI/CD pipeline.
Continuous Scanning for Verification: After patching, your DAST and SCA tools should rescan within 24 hours. If the vulnerability persists, reopen the ticket with higher priority.
Security Tool Coverage Audit: Quarterly, verify that SAST scans proprietary code, SCA inventories all dependencies, and DAST tests the running application. Address any blind spots.
Emergency Patch Process: Document procedures for handling vulnerabilities with public exploits. Define who gets paged, the approval process for changes, and how to verify deployment. Test this process quarterly with tabletop exercises.
Owning security tools doesn't ensure security. Your DAST scanner might identify vulnerabilities like the Apache Struts issue, but the critical question is: what actions do you take next?
