Posted on 09/16/2017 8:01:50 PM PDT by grundle
I suspect the subpoenas would go much further back in time.
Agreed, because apparently this was their 3rd hack in nearly 16 months.
While it is true that the Struts jars can (and should!) reside in a central directory on the appserver, that is not necessarily the case. If the programmers are allowed to download whatever software they like, and build these jars into their .war files, then they really don’t know what they have and aren’t in a position to fix it.
This is how everything started with J2EE programming and Open Source at most shops. The necessary controls came later. But if you have a lot of legacy applications, you may have a wide variety of open source releases stuffed into your applications, and not even know it.
The only way the auditors can find out what is going on is by taking all the production .war files, unjarring them, and seeing what is inside. This sort of audit is unlikely to happen. Most auditors will just interview developers, asking what their practices and procedures are, and believe what they say. What they say may even be true right now, but will not reflect all the apps that have been moved to production in the past ten or fifteen years.
There are probably automated application scanning tools that will help. But first you have to find all the production servers and the applications - many places can’t even do that.
Come to think of it, all three Obamas were affirmative action hires.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.