A few days ago, an acquaintance of mine revealed that a web site his organisation owns was defaced. In fact, this was not for the first time as the same site was defaced a couple of years ago and has been attacked via the same exploit on a regularly basis ever since.
We know what the problem is: I actually reviewed the code for them after the first time and highlighted both what the issues were and how to fix them. However, the organisation decided that since the site in question is relatively low profile, has no private data behind it and is therefore of low risk that they would buy the vulnerabilities until such time as they can afford the expense to fix them.
Personally, I think this is rather akin to having your house burgled because the locks are broken but not being bothered because the crooks didn’t steal anything and only used your carpet as their toilet. Each time they come back to do the same thing you simply close the door again, sigh, clean up the mess and go back about your business. Problem is that the smell gets slightly worse after each time….
If your web site is so insignificant that you can’t be bothered to fix the problem after an attack then one should probably ask why it went online at all.
All said, I’m wondering where we are getting with online security in general. Are we getting better? The stats on sites like www.xssed.com and the digital attack archive at www.zone-h.org show that online exploits still abound. I still encounter development teams claiming to be “agile” but really being CAC (stands for “cutting all corners”), and while project managers will all say that “yes, we know security is important” you can bet your dollar that if having to spend a few hours implementing a decent policy and QA process means that rollout schedules might slip a day then the security director wont be getting invited to any more meetings.
Personally I blame .NET and Cold Fusion and all the other point and click solutions for making it far too easy to develop great, functional, online products that require very little programming skill or understanding of the underlying architecture. I’ve not done any serious programming for a long time but I can still pick up the latest version of Visual Studio and develop a website that backends with an SQL Server database in under ten minutes, without writing a line of code. It’ll work but it wont be even the slightest bit secure. It’s fantastic technology, and I’m not trying to be demeaning to the many excellent and highly skilled coders and developers that I know , but then most of those program in Java and consider Cold Fusion to be the work of the devil himself.
Of course Microsoft now expend mountainous quantities of cash and online space in telling programmers how to code properly with their MSDN and Patterns & Practices guidance. There are also plenty of other good online resources such as OWASP and the free tools offered by Foundstone.
However, websites still get hacked with regularity so what more can we do other than keep on bashing away with the same old themes, that frankly, now sound tired and clichéd? I don’t have the answer to that one yet and I’m still using the same “thou must follow a well planned SDLC” line of attack that I’ve been harping on about for years. We need a new approach to online security – anyone got one?