Why are there still so many web sites that are vulnerable

Why are there still a lot of web site vulnerabilities? It is understood that the vulnerabilities of most corporate Web sites include vulnerabilities in OpenSSL, PHP, and WordPress, mainly due to a large number of custom combinations and lack of testing and bug fixes in these open source software.

In this article, let's look at how to fix these vulnerabilities from the start and throughout the development life cycle.

Security vulnerabilities on many websites

"A number of Web site (and Web application) vulnerabilities are primarily due to the nature of these technologies being fully customizable," said David J. Venable, a former U.S. National Security Agency intelligence collector and Masergy communications company director. Such results result in largely untested websites and applications that are not rigorously tested like most commercial software (such as operating systems and server packages).

In fact, vulnerabilities in Web sites and Web applications are more vulnerable than in other parts of the enterprise. These vulnerabilities include vulnerabilities in PHP sites, third-party and self-produced software, WordPress code and installation, and vulnerabilities in OpenSSL, single sign-on, and SQL and LDAP deployments and technologies.

PHP websites that use third-party software have inherent vulnerabilities because third-party application development is not under the control of the enterprise. "You can design your website to make sure all your homemade code is completely secure, but if you need to use third-party software, you could introduce a vulnerability," said Joe Sremack, head of Berkeley Research. ”

WordPress is an increasingly serious problem, it has countless plug-ins, the need for constant updating, which brings increasing threat to small and medium-sized enterprises. "Businesses want WordPress to function, but unfortunately it also poses a risk," says Sremack. ”

OpenSSL also faces the same problem. As people continue to innovate the technology, these innovations bring new vulnerabilities that can be discovered and exploited by attackers. Each year, attackers continue to exploit the OpenSSL vulnerability as part of a massive data breach, and many seemingly new vulnerabilities are actually old vulnerabilities that have not yet been discovered.

Even if programmers develop secure Web sites, their development is based primarily on the vulnerabilities they have known, rather than the vulnerabilities that have not yet been identified, and new vulnerabilities are always emerging.

Injection vulnerabilities are still common, and attackers have tweaked their attack methods to take advantage of the increasingly pervasive single sign-on. Sremack explains: "Single sign-on is common in hotels, and people use single sign-on to check their accounts and points." The new LDAP injection technology attacks the vulnerability and passes parameters to the code to control its network session. ”

Another attack vector is local and remote files. Sremack says: "The code of the site can call files on the local server or remote public servers." By using injection technology, an attacker can let a Web site display information, including a password file or a list of user names in a Web server, and execute the code that they want to run. ”

Fix Web site security vulnerabilities

"Organizations must adhere to security best practices from the very beginning of the development process, such as best practices for opening Web application Security Projects (OWASP)," Venable said. "Companies need to perform all tests before, during, and after the code changes, including application evaluation, penetration testing, and static analysis, at least once a year. To discover and mitigate attacks in real time, organizations need to deploy WAF and IDs to Web sites and Web applications, and deploy 24x7 monitoring teams.

"In the development process, work with the security team to perform periodic tests on the affected code and functionality," Sremack said. "If the enterprise is updating the current Web site, it should let the security team Test and ensure that the new features do not introduce vulnerabilities." The development team should also scan and test to isolate vulnerabilities and fix vulnerabilities.

"Businesses should use the same tools that attackers used to invade the network, such as Grabber, W3AF, and Zed Attack proxies," Sremack says. "Although anyone with security knowledge or security tools can use these applications to discover Web site vulnerabilities based on test results, businesses need to arrange dedicated staff to do the job," says the company.

"Developers should look specifically at how they create and maintain network sessions, specifically checking the input that the session transmits through the site, whether through the site or the input field," Sremack said, "then monitor the vulnerability in any third-party code and view the exploit claims from the vendor." ”

Summarize

The larger the site, the greater its functionality and visibility, the more third-party software it uses, and the more expensive the process of reducing the vulnerabilities inherent in the site.

Businesses must monitor and update their websites multiple times within a day to better protect against cyber attackers. This process should include change management, testing, and proper deployment, as well as a new dedicated security team and a designated test site.

The more features of the website, the more enterprises should ensure the security of the website. There are also many open source free software tools available to help developers understand new vulnerabilities and threats.

Why are there still so many web sites that are vulnerable