Oct 3, 2017

Good Advice from the Apache Struts Team on keeping your Servers Patched

If you have been tracking the recent Equifax breach, it should remind all IT professionals to always have someone dedicated to keeping servers properly updated.  

I found this article and I thought the below advice from the Apache Struts team applies to any J2EE server.  It seems to apply to any publicly accessible Web or Application server product.

Please note that ColdFusion does use any portion of Apache Struts.

The below advice can be found inside the complete article.here:

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.
For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 

No comments:

Post a Comment