It's troubling that media can look at all the details of the Equifax story and somehow come to conclusion that OSS needs improving or is in anyway broken. OSS is certainly not perfect but the bug was identified, patched and publicized months before Equifax actually applied it. OSS did not fail here, incompetent security and* development teams did... at a company whose entire business is handling PII and Financial data. It's inexcusable and frankly criminally negligent.
* It also bugs me that I generally only see Equifax's security team called to the carpet for this. It's the development teams responsibility to have an ever-greening plan in place and regularly update their product. The security team should be the first line of defense against this and the application development team should have been the second. It's shocking how many developers I work with who think that libraries and frameworks are somehow "safe" and that I push regular updates only because "new-shiny".
A system with millions of fingerprints and who knows what other demographic and biometric data should be air-gapped out of principle. That's an information gold mine that will be a prime target for every bad actor on the planet, state-sponsored or not.
Slashdot Mirror
It's troubling that media can look at all the details of the Equifax story and somehow come to conclusion that OSS needs improving or is in anyway broken. OSS is certainly not perfect but the bug was identified, patched and publicized months before Equifax actually applied it. OSS did not fail here, incompetent security and* development teams did... at a company whose entire business is handling PII and Financial data. It's inexcusable and frankly criminally negligent.
* It also bugs me that I generally only see Equifax's security team called to the carpet for this. It's the development teams responsibility to have an ever-greening plan in place and regularly update their product. The security team should be the first line of defense against this and the application development team should have been the second. It's shocking how many developers I work with who think that libraries and frameworks are somehow "safe" and that I push regular updates only because "new-shiny".
A system with millions of fingerprints and who knows what other demographic and biometric data should be air-gapped out of principle. That's an information gold mine that will be a prime target for every bad actor on the planet, state-sponsored or not.