As a web development company with over 20 years of experience developing websites and implementing all kinds of platforms, we’d like to think we’re open-minded and agnostic when it comes to software. We understand that open source works wonderfully well for some organizations and others truly do benefit from proprietary software. In some instances, though, we do get a prospective customer who is adamant about using a certain technology when developing and or hosting their web presence. In some cases, it’s not a problem, but in others, it truly doesn’t make any sense. The software your organization utilizes to power your online network shouldn’t be a philosophical or political decision – it should be based on your specific needs and nothing else.
The Panama Papers leak, exposing how politicians and some incredibly rich folks hide money from being taxed and publicly-scrutinized, may have been made possible because the law firm that was hacked, Mossack Fonseca, didn't follow some real basics when it comes to website security. Because of this incredibly inane oversight, 2.6 TB worth of emails, documents, images, and database info were transferred out of the Mossack Fonseca firm’s website and network. Wolfgang Krach, co-editor-in-chief of the Sueddeutsche Zeitung, the news organization that made the documents public, said a source who introduced themselves as "John Doe" contacted the paper a year ago and with an offer of encrypted internal documents from the law firm. The Panamanian law firm claimed the attackers “hacked” their email server, and while that may have occurred, the attackers could have just as easily waltzed in through vulnerable open source CMS software utilized by Mossack Fonseca.
Using WordPress on its main website and Drupal for sharing sensitive information on the customer portal, it appears that both of these open source platforms were outdated according to an extensive, post leak analysis. WordPress was three months out of date, and Drupal was almost two years out of date.
The head of Mossack Fonseca has denied any wrongdoing, and said his firm has fallen victim to "an international campaign against privacy". I think “an internal campaign against standard online security measures” would be a better term to describe what happened.
Some risk is associated with using any software, regardless of whether it’s open source or proprietary. However, with traditional proprietary software, there is centralized management and a dedicated team of developers ready to repair any issues that may arise. Open source software keeps the code open (unlike proprietary software) so IT professionals can modify, improve, change, and distribute it. Proponents of open source proudly tout the thousands of available plug-ins. This all sounds great, but this is actually a big factor in the security issues. There are currently no processes to vet open source plug-ins or automatically update outdated plug-ins. Very few organizations are vetting the security of these plug-ins or making sure they’re patched after they’re installed on a site. The more plug-ins that are used, the more complex it is to secure a website. When security issues arrive, and they will, a security patch on an open source site shows the attacker exactly what was done to thwart them – and they’ll simply look for other critical vulnerabilities in which to attack. If there aren’t extreme security measures in place that are vigilantly followed, an open source website is like a lamb in the lion’s den when it comes to security. Mossack Fonseca, and in turn some of the most powerful people on earth, learned this lesson the hard way (lucky for us little people, though!).
Ryan McElrath, Americaneagle.com’s CTO, said “A trend that we’ve seen over the past couple of years within our hosting environment is a sharp increase in the automated scanning done by hackers looking for vulnerabilities in sites. This type of scanning has been going on for years, but the frequency is so much higher now. Within our logs, we see open source CMS sites like WordPress, Drupal and Joomla being targeted the most by far. Companies that choose to use open source software need to make sure that security is top of mind and that they must be absolutely vigilant about patching the core CMS and all plug-ins. Otherwise, it’s only a matter of time before their site is compromised.”
Attacks targeting sites running outdated versions of a CMS or using vulnerable plug-ins are happening more and more often. It makes sense due to the fact that WordPress, Joomla, and Drupal combine to support over 75% of all CMS-powered websites currently online. Since many security experts point at the plug-in ecosystem, with poorly coded and maintained plug-ins, as the main culprit in these attacks, core developers need to accept some of the responsibility and consider how third-party software is affecting their platform and provide better direction to make sure their customers' sites are as secure as possible. In addition, analyzing whether or not a web application firewall (WAF) is needed should be a part of the security discussion. A WAF is an app, server plugin, or filter that employs a set of rules to an HTTP conversation and these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing these rules to your specific application, most attacks are quickly identified and blocked. Along with other security measures, the resources to perform this customization can be significant and it needs to be constantly monitored to ensure that it keeps up with any modifications.
At Americaneagle.com, we have completed hundreds of projects that include PHP, or open source development, along with many more that utilize proprietary software. With expertise in both areas of software development, we’re uniquely qualified to assess important security concerns associated with any particular software a customer prefers. As our CTO Ryan McElrath stressed, for website security administrators, it’s crucial to patch, update, and stay on top of the latest versions of the CMS software and all related software. Besides updating the core application, it’s crucial that your organization reviews and updates the plug-ins and themes whenever there is a security update available.