Why are so many websites still vulnerable?

Why are so many websites still vulnerable?
Why are there still many website vulnerabilities? This is a concern of many users.

Vulnerabilities on most enterprise websites include vulnerabilities in OpenSSL, PHP, and WordPress. These vulnerabilities are mainly caused by a large number of custom combinations in these open-source software and lack of testing and vulnerability repair.

This article describes how to fix these vulnerabilities from the beginning and throughout the development lifecycle.

Many website Security Vulnerabilities

"The main cause of many website (and Web Application) vulnerabilities is the nature of these technologies fully customized," said David J. venable indicates that such results will generate largely untested websites and applications that do not have software like most commercial applications (such as operating systems and server software packages) it has undergone rigorous and thorough tests.

In fact, there are more vulnerabilities in websites and network applications than in other places of the enterprise. These security vulnerabilities include vulnerabilities in PHP sites, third-party and proprietary software, WordPress code and installation, and OpenSSL, Single Sign-On, SQL and LDAP deployment, and technical vulnerabilities.

PHP websites using third-party software have inherent vulnerabilities because third-party application development is not controlled by enterprises. Joe Sremack, head of Berkeley research, said: "You can design your website to ensure that all self-made code is completely secure, but if you need to use third-party software, then you may introduce vulnerabilities."

WordPress is an increasingly serious problem. It has countless plug-ins and requires constant updates, which poses an increasingly serious threat to small and medium-sized enterprises. "Enterprises want WordPress functionality, but unfortunately it also brings risks," Sremack said ."

OpenSSL also faces the same problem. As people keep innovating this technology, these innovations bring about new vulnerabilities that can be discovered and used by attackers. Every year, attackers constantly exploit the OpenSSL vulnerability as part of large-scale data leaks. Many seemingly new vulnerabilities are actually undiscovered.

Even if programmers develop secure websites, their development is mainly based on known vulnerabilities rather than unconfirmed vulnerabilities, and new vulnerabilities will always emerge.

Injection Vulnerabilities are still common. attackers have adjusted their attack methods to take advantage of the increasingly popular single sign-on. Sremack explained: "Single Sign-On is common in hotels. People use single sign-on to check their accounts and points. The new LDAP injection technology will attack vulnerabilities and pass parameters to the Code to control their network sessions ."

Another attack vector is local and remote files. Sremack said: "website code can call files on local servers or remote public servers. By using the injection technology, attackers can display information on the website, including a list of password files or user names on the Web server, and execute the code they want to run ."

Fix Website Security Vulnerabilities

Venable said: "enterprises must adhere to the best security practices from the very beginning of the development process, such as the best practices of Open Web Application Security Project (OWASP ." Enterprises need to perform all tests before production and after code change, including application evaluation, penetration testing and static analysis, at least once a year. To detect and mitigate attacks in real time, enterprises need to deploy WAF and IDS for websites and network applications, and deploy round-the-clock monitoring teams.

"In the development process, we work with the security team to perform regular tests on the affected code and functions," Sremack said ." If the enterprise is updating the current website, the security team should test and ensure that the new features do not bring any vulnerabilities. The development team should also scan and test to isolate and fix vulnerabilities.

Sremack said: "enterprises should use the same tools that attackers use to intrude into the network, such as Grabber, W3AF, and Zed Attack Proxy ." Although anyone with security knowledge or tools can use these applications to detect website Vulnerabilities Based on test results, enterprises need to assign dedicated staff to do this.

"Developers should look at how they create and maintain network sessions and specifically check the input of sessions transmitted through the website, whether through the website or the input field," Sremack said, "then we monitor vulnerabilities in any third-party code and view the vulnerability exploitation statement from the vendor."

Summary

The larger the website, the greater its functionality and visibility, it will also use more third-party software, at the same time, reduce the vulnerability inherent in the website is more expensive.

Enterprises must monitor and update their websites Multiple times within a day to better defend against cyber attackers. This process should include change management, testing, and proper deployment, as well as new dedicated security teams and designated test sites.

The richer the functions of the website, the more enterprises should ensure the security of the website. There are also many open-source free software tools to help developers learn about new vulnerabilities and threats.