Enterprises must use third-party Web applications with caution

Small and medium enterprises use a lot of third-party web applications: because third-party applications can save them money and allow them to embed their impossible expertise. However, this also brings security risks to their businesses and consumers.

Recent Network Solutions events indicate that this practice may cause very serious harm: ten days ago, internet domain name providers know that a network service microware that exists on at least 0.12 million webpages has infected a large number of visitors through malware. It is said that the company downloaded the microfile, that is, the Small Business Success Index, to the third-party online directory WidgetBox.

As more and more enterprises begin to use third-party code on their websites and import content from other websites, the security of visitors is increasingly dependent on other websites.

"In the past five years, Web has swept the globe," says Neil Daswani, chief technology officer of network scanning company Dasient. "As a network administrator, your security actually depends on a lot of third parties, therefore, you must ensure that all code and microware are monitored."

Network Solutions is not the only Internet company that intentionally carries malicious code on its website. A year ago, attackers impersonate legitimate advertisers to submit virus-containing ads on the New York Times website, then through this rogue program, the website infected with a large number of visitors unknown ). Other websites such as Fox News and Business Weekly have to face similar problems.

When a website carries rogue programs, it has a huge and long-term impact on the Enterprise. If Google marks a website as a malicious website because it contains rogue code), the website's traffic will drop by as much as 95%, Daswani said, "from the feedback we receive from consumers, even if this problem is solved, the website will still have a huge impact on traffic after it is removed from the blacklist."

It is not easy to solve this problem, and there is no standard or acceptable method to prove whether the code is secure and reliable, said Andy Chou, Chief Researcher at Converity, a code scanning company, "in other industries, there is a corresponding certification for a certain quality measurement of the product, "Chou said." There are many ways in other industries to show consumers the information about the products they buy, but in the software industry, there is no similar authentication. You must test the code yourself."

Security experts suggest that enterprises should regularly scan programs to check if programs are malware or Trojans. developers can use static scanners to scan source code to find security vulnerabilities. The runtime scanner and anti-virus scanner can be used to detect malware and programs before posting to the website.

However, these websites should also be inspected frequently. Wayne Huang, Chief Technology Officer of the website scanning company Armorize, said, "combined scanning is a good method," Huang said, "Source code scanning has its own limitations, and customer-type network scanning also has limitations. Therefore, combined use of it will maximize security."

Security experts believe that there will not be too many websites scanning websites regularly before similar accidents occur on a large number of websites.

"People just realized this field," Chou of Coverity said. "From our cooperation experience with the software development organization, all these development blocks have a large amount of resources built by a third party, and any use of software comes from different sources."

1. Researchers are committed to smart Web application security scanning tools
2. Some necessary security measures after Web application Construction