Skip to main content

Blog Post

What Does the Equifax Hack Mean for Open Source Security?

Although the most likely cause of the massive Equifax data breach was the firm’s own failure to patch a two-month-old bug, the inherent security of open source software has become a trending topic in tech news.

Mediacurrent’s resident expert, Open Source Security Lead Mark Shropshire, is well-informed to join the conversation. We asked him a few questions to get his take on recent events.

1.) Hi, Mark! What can you tell us about your background with open source security?

I have over twenty years of experience as an open source developer and I’m passionate about contributing back to the Drupal community. When I’m not blogging and podcasting at Mediacurrent, you can find me organizing local Drupal events in the Charlotte, NC metropolitan area and speaking at Drupal events.

In my role as Open Source Security Lead, I work with Mediacurrent clients to build and maintain highly secure websites. Day to day, I help to keep our team informed on Drupal security best practices, standards, and trends. Even though I am focused on Drupal, I find it important to understand security through a wide-angle lens by being a critical consumer of news.

Author’s note: Check out Mark’s presentation from Drupalcon Baltimore Raising the Security Bar with Guardr, and his latest podcast appearance on Mediacurrent Dropcast Episode 34: Security!

2.) The Equifax cyberattack is one of the largest data breaches in U.S. history and it has received a lot of media attention. In the initial aftermath, some were quick to blame open source software for being inherently less safe than proprietary software. What’s your take?

All software, including open source and proprietary, can include bugs and security vulnerabilities. With proper planning, maintenance, and updating, open source software can meet and even exceed the security standards of closed source.

An active open source project with defined processes around reporting and resolving security issues provides a community with confidence and transparency. Having many “eyes” on the source code can allow more issues to be discovered and resolved. The Drupal Security Team is an example of an open source project with a mature process for maintaining security of the Drupal project and In addition, community projects such as the Guardr security distribution help educate the community on best practices around Drupal security.

3.) Was it fair for Equifax to place the blame on open source software?

Not if Equifax neglected patching known vulnerabilities. They are in the middle of PR damage control and they are under immense pressure to explain what happened. Security issues at Equifax are probably more complex than one piece of software having a vulnerability. Processes may have failed or not existed.To the public eye, factors such as how well  systems and networks are monitored and what other softwares remain unpatched are critical unknowns.

Dries Buytaert, the founder and project lead for Drupal, wrote a great related blog post on this subject: Don't blame open-source software for poor security practices.

4.) From a security standpoint, how can enterprises be sure that open source software measures up to other software?   

In addition to a dedicated security team, tens of thousands of Drupal developers lend “extra eyes” to monitor security, ensuring timely resolution for critical bug fixes. Open source is widely adopted by industries who place a huge emphasis on security. For example, US government sites favor Drupal. Careful selection and implementation of all software, open source and proprietary, is critical to create a secure platform.

5) What can we, the tech community, learn from this breach?

As we learn more, this may be a good case study to back security by design, a ground-up approach to developing secure software. I’m looking forward to continuing the conversation and exploring these themes in an upcoming webinar Security by Design - An Intro to Drupal Security on Thursday, October 12th. Hope you can join!

Additional Resources
Guardr for Drupal 8: Meeting Enterprise Securite Requirements | Blog
10 Great Security Podcasts, Blogs, and Resources | Blog
Evaluating the Security of Drupal Contrib Modules | Blog


Meet team member, Mark Shropshire

As the Senior Director of Development, Mark “Shrop” loves working at the intersection of leadership and technology. He has a passion for personal and team growth, aligning individual purpose with Mediacurrent vision. Shrop focuses on empowering teams to be their best while using best of class open source technical solutions.  

Over his 20 plus year career leading technical teams, Shrop gained experience in IT roles at a large urban research university and nationally recognized award-winning graphic communications company. Through these experiences, Shrop has learned to lead others with an eye on the big picture, while getting into the details as a software developer, systems architect, and system administrator. One of his proudest accomplishments has been his role in building a stronger technical community in the Charlotte region. For the past several years, Shrop has served as the community co-organizer for the Charlotte Drupal Drive-In event, hosted by CharDUG (Charlotte Drupal User Group) where Shrop is a co-founder. He is a frequent public speaker around meetups and conferences, talking about leadership, technology, productivity, and mentorship.

When not focusing on teams and clients at Mediacurrent, Shrop enjoys spending time with family, podcasting, running live sound, and playing various musical instruments.

Learn more about Mark >

Related Insights