Tripwire, Inc., a leading global provider of security and compliance solutions for enterprises and industrial organizations, today released findings from research investigating the dangers of turning over web development to an unqualified third party. Specifically, the research revealed that websites developed by “budget” developers, without portfolios or references, tend to be plagued with critical security failures.
For this project, The Tripwire Vulnerability and Exposure Research Team (VERT) took on a non-technical persona and hired nearly 20 developers to create a website, with bids going up to $250. Each developer’s sole job would be to provide source code for a website with specific required functions, utilizing a particular technology stack, in nine days.
Tripwire VERT wanted to identify backdoors, hard-coded passwords and vulnerabilities within each website. Of the 17 commissioned projects, 10 websites were completed and purchased.
VERT found that every website had critical security failures. Some notable findings were:
- Every website failed to protect any documents from unauthorized users.
- None of the websites effectively prevented hackers from uploading a backdoor, which would provide them complete control over the website’s content and data.
- Several websites had authentication bypass through basic SQL injection, which would make it easy for an anonymous user to gain access and take over the server.
- Half of the websites contained SQL injection flaws that would allow attackers to manipulate website content and access customer data, as well as take control of the database server for use in other hacking campaigns.
“It came as no surprise to find that every single website was plagued with critical security failures,” said Craig Young, principal security researcher at Tripwire. “The process was riddled with communication issues and questionable practices from beginning to end.”
“If this were a real business project, it would have run over budget, past the deadline and have been very difficult to manage. On top of all that, the customer would have been left with an insecure website,” Young added. “We cannot reasonably expect data breaches to decrease if websites built by developers are not made with basic security measures built in.”
While Tripwire VERT does not recommend relying on low-budget freelance site development, here are a few tips to consider when it is necessary:
- Get a sense of whether the candidate will be well-suited for the job. Do they have experience with the necessary technology, and can they clearly restate your requirements in their own words?
- Language barriers and time zone differences also play a role, so be sure that you can clearly communicate with them and that they’ll be available during reasonable business hours.
- Beware of fake reviews or other tricks. Be suspicious of multiple reviews in a short period by the same set of people or with very similar writing styles.
- Make clear up front that a successful security review will be an acceptance criterion.
During the Project:
- Discuss appropriate project milestones so that you may review the work to see that it’s progressing appropriately.
- Security should be baked in from the beginning. If you have a programming background, looking at the source to verify it uses “safe” functions consistently is an excellent idea. If not, consult with trusted partners who can help you learn what to look for.
- The finished product should at a minimum be scanned by a web application vulnerability scanner and ideally evaluated by a professional penetration tester before final payment is made. Third-party components can be a significant source of vulnerabilities as well, so it’s important to work with the contractor to create a list of all such components along with how to check for and install updates.
- A plan must be developed to delegate responsibility for keeping application and operating system components up to date and free from known vulnerabilities. Ongoing security reviews should also be performed to make sure nothing is missed and that new attack techniques do not apply to the application.