Sonatype Turns Their Distribution of Insecure Software Into Misleading Stories About Other Companies

When it comes to improving the security of websites, security journalists could play an important role, but they unfortunately do not seem to be interested in doing that. Instead they spend a lot of time spreading misleading and outright false information that comes from security companies. Often times, like a game of telephone, the information being provided gets more inaccurate as journalists repeat the claims of other journalist (in some instances without disclosing they are copying information from others).

A good example of that comes from something we had run across today. On ZDNet’s security blog the Zero Day (which at least previously was written by people that didn’t know what a zero day is) there is a post headlined “After Equifax breach, major firms still rely on same flawed software” with the sub-headline “At least seven tech giants still use the vulnerable software that hackers exploited to attack Equifax last year.” An obvious question would be what was the methodology used to determine that. If you read the post you will find out that it wasn’t actually determined at all nor was it claimed to have been. Instead what was measured was downloads of the software:

Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It’s often used to power both front- and back-end applications — including Equifax’s public website.

Downloading a vulnerable version of software doesn’t mean you rely or use it. For example, when we are dealing with hacked websites we might need to download older versions of software to use to compare the copy of the software on the website to a clean copy.

Later in the post it was mentioned that Fortune had reported on this prior to ZDNet:

Fortune was first to report the data.

The Fortune story has a more accurate headline “Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax”. Here is how they source that:

As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts, the popular, open source software package that attackers targeted to loot Equifax, from March 2017 through February 2018, according to data from Sonatype, a Goldman Sachs-backed cybersecurity startup that tracks code pulled by software developers.

And here is how Sonatype determined that:

Sonatype was able to collect the data it shared with Fortune, Jackson explains, because it maintains a code repository, Maven Central, relied upon by many software developers as they build applications. When requests for code components come in, Sonatype is able to conduct reverse lookups on the requesters’ IP addresses, and thereby determine from which organizations they originated.

So Sonatype is the one distributing the insecure software to these companies and also tracking what they are downloading, which seems like it might be what those journalists might want to cover.