Article Lead Image

Photo via Christiaan Colen/Flickr

Why websites are so vulnerable to hackers

There’s a method to their madness.


Ben Dickson

Internet Culture

Hackers just can’t get enough of hacking websites. Malicious actors break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to steal sensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.

Websites continue to account for the majority of cyberattacks and tens of thousands are targeted every day. There are virtually endless reasons—and ways—that websites can be attacked. But while the motives and tools to attack websites are many, there are distinct reasons hackers choose websites as one of their prime targets and succeed at compromising them. Knowing them can help improve the security of websites and their customers.

Websites are the weakest link in the chain

There are many ways corporate networks can be infiltrated. Vulnerabilities in networking equipment firmware, flaws in encryption algorithms, misconfigured and unpatched software installations, and the use of advanced network monitoring tools are all viable solutions. But many of these breaches demand a high level of expertise and knowledge, or require special resources that can only be obtained with state backing.

Moreover, with the introduction of advanced security tools such as smart firewalls, intrusion detection systems (IDS), signature- and behavior-based antiviruses, virtual private networks and many more, it is becoming harder and harder for intruders to find cracks in the defenses of company’s network and gain access to the more private parts.

Websites continue to account for the majority of cyberattacks, and tens of thousands are targeted every day. 

The only things that remain ubiquitous and largely accessible are websites and web applications.

A major part in running an online business is having one or more outward websites. Whether it’s an e-commerce site where customers can make purchases, a social media platform where people can connect, or a web portal for employees to log into, there needs to be an interface where people can interact with your organization through public networks. And that includes hackers.

“Industries that have adopted and increased web applications usage for their business in the past year are seeing the impact on the attack patterns,” says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security solutions. “Financial and transportation verticals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile attack surface.”

In contrast to many exploits that require physical access to special networks or state-sponsored access to ISPs, attacks against websites only require a working Internet connection. And all it takes from there is a vulnerability that can be exploited.

“The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak points of the web application,” Ashbel explains.

Websites are riddled with coding flaws

According to a study by Carnegie Mellon University titled “Team Software Process for Secure Systems Development,” 90 percent of security incidents result from software bugs, i.e. mistakes committed by developers when writing the source code for the application. The study further finds that even qualified and experienced software engineers dish out a bug in every nine lines of code.

When it comes to web applications, there’s no shortage of coding flaws, and the reasons are simple.

When it comes to web applications, there’s no shortage of coding flaws. 

First of all, in contrast to complicated software, such as operating systems or special software for networking equipment, web development is an easy feat, one you can easily pick up on your own, in your own garage, which makes it an attractive field for people who want to learn some quick skills and earn some quick cash.

Moreover, there’s a lot of ad-hoc code being written to meet the needs of specific firms and organizations. Many of these institutions turn to internal resources or freelancers for web development. But these programmers aren’t necessarily versed in the basics and tenets of secure coding. They are mainly focused on delivering a product that fits the functional requirements of the client and consequently leave many security holes in their wake as they code their way to the finish line.

“Developers are measured by the time it takes them to deliver functionality and the number of functionality bugs their code contains,” Checkmarx’s Ashbel says. “The more experience they gain, the better their code becomes. This is a natural process of seeing and learning from their mistakes.”

“With security bugs, in many cases they don’t have the option to learn from their mistakes because they are rarely involved in the detection process,” he says.

Website security practices aren’t implemented properly

Even some of the bigger companies are getting hit because they are lacking in proper tools and practices in rooting out vulnerabilities from their websites. For instance, in the case of the VTech hack, in which the toy giant gave away sensitive information for millions of users, including hundreds of thousands of kids, the vulnerabilities involved were very rudimentary, including the use of obsolete encryption hashes and components containing SQL injection flaws.

Traditional security testing methods consist of relying on security audit professionals late into or at the end of the development lifecycle to review websites for vulnerabilities. This is a process that is expensive, lengthy and incomplete.

Many companies cull this stage because they either don’t have the in-house expertise or the resources to outsource the security talent, or they don’t have time and are too focused on functionality to care about the security of their website. This results in corporate websites going into production with severe security holes. Hackers have many tools that help them quickly sniff out vulnerabilities and exploit them. On the other hand, it takes firms and organizations a long time to realize they’ve been breached.

A website breach usually provides attackers with a beachhead to further delve into corporate networks and gain access to more critical assets and resources such as database servers, encryption keys and classified documents. A look at these recent data breaches shows how destructive coding flaws can be.

How do you harden your website’s security?

There are general guidelines for developing secure websites, but first of all, there needs to be a change of mindset. Companies must consider security as a prime concern, not an afterthought. This can only be achieved if dealing with security issues are dealt with in tandem with the development of the website.

Firms should start by educating their development team in the basics of secure coding. Security-savvy programmers write more secure code. Having general knowledge about vulnerabilities such as SQLi and cross-site scripting (XSS) can help developers create more secure web applications from the get go.

Also, the use of Static Application Security Testing (SAST) tools can help integrate security testing into the development process. SASTs can help quickly scan the source code of applications for known vulnerabilities and bad coding practices and warn the developers as they build the application. This is a cost-effective solution to help root out bugs in applications because it pushes security testing early up in the development lifecycle, where correcting mistakes has less impact on the overall structure of the application and will end up being cheaper and less time consuming.

“Rather than waiting for the end of the development cycle, organizations should address vulnerabilities in the same way they address functionality bugs,” says Ashbel. “It should be part of the software development lifecycle from the starting point. That way developers learn from their own mistakes and become better and more secure coders.”

The future of web security

Websites are a huge part everyday life and business. An insecure website can be destructive to the integrity, reputation and bottom line of an organization.

“The future of web and mobile application security relies on the ability to bridge the silos between the security and the development teams within the organization,” Ashbel says. “While quality assurance is there to analyze that the code delivers the functionality it promises, developers and security teams need to ensure the code does not deliver functionality that can be abused by external sources such as hackers and criminals.”

Ben Dickson is a software engineer at Comelite IT Solutions. He writes regularly on business, technology and politics. Read his blog or follow him on Twitter@bendee983.

The Daily Dot