As discussed above, breaches like this generally occur as a result of organizations not following secure software development practices. It is easiest and most cost effective to add controls early in the software development life cycle (SDLC). So performing architecture risk analysis or threat modeling early in the SDLC is critical. Many security issues can be prevented if the right architecture/design controls are added in the right places.
Developers should be trained in defensive programming so that they understand security vulnerabilities and how to prevent them. Developers and security teams should use static analysis tools that can help find implementation vulnerabilities. Code reviews and security testing should also be used to further reduce the likelihood of vulnerabilities ending up in production environments. Operations teams should keep a close eye on applications and watch for unusual behavior.
These are only a small subset of security activities that organizations should be performing. See the Building Security In Maturity Model (BSIMM) for a more comprehensive list of security activities. Also, keep in mind that you need to secure all your applications and systems.
Equifax stated, “We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.” This is not all that surprising. Organizations often focus on protecting their core systems but are laxer about applications/systems that they consider less critical.