Internet Security: How Widespread Are Bad Development Habits? 

An intive study of its customers showed an alarming number of companies aren’t performing even basic measures to improve their internet security

Installing the latest software, examining security certificates, keeping sensitive data private … all are examples of simple measures everyone should be taking to improve their internet security. Despite automatic updates and security features now standard with most major software providers, these are ignored all too frequently. In 2018 Google revealed that only 10% of users take advantage of two-factor authentication and Brigham Young University found people ignore security warnings 90% of the time.

It’s not just the individual’s internet security that’s at risk here—far more insidious is the way that ‘laissez-faire’ attitude to internet security can leach into the workplace. A few bad decisions and cut-corners on the internal network quickly create major vulnerabilities, and it’s the company that ultimately will be liable for any subsequent breach.

In light of this, you might think more tech-savvy staff members would have a better handle on internal security protocols, but a 2015 survey by Google found that only 64% of security experts update their software automatically or immediately after notification. This trend was reflected in tests we conducted at intive in 2019 as part of our digital transformation projects. We ran detailed tests on 10,000 websites built with enterprise platforms such as Sitecore Experience Platform and Adobe Experience Manager. Here, I will be running through some of the important outcomes we discovered, of which every software developer should be aware.

Don’t Leave Your Valuables in Plain Sight

Valuable items are at higher risk of theft, and the digital world is no exception. Financial information, customer data and company intelligence are all tempting prospects, either because of the value of the data itself or the value it holds for business operations. Hackers will readily take advantage of any low-hanging fruit on offer and use this to extort ransoms or bounty bugs from the company to regain control.

In previous years, the responsibility of internet security was not clearly defined. However, following a slew of new legislation worldwide, including the EU’s General Data Protection Regulation (GDPR), the responsibility now falls squarely on the company’s shoulders. Despite the hefty fines for anyone found liable of breaching data, there is no shortage of examples:

  • Uber was fined $148 million in the U.S. for a data breach dating back to 2016, which affected 57 million users globally. On top of that, its European operations were fined an additional £385,000 for the 3 million British users affected by the situation.
  • Telefonica is currently facing prosecution following a breach slammed as the greatest telecommunications breach in the history of Spain, which allowed pretty much anyone to access and download personal data, banking details and call records to be easily accessed through simple URL edits. Under the new GDPR legislation the company faces fines of €10 million to €20 million.

As the onus shifts clearly toward companies being able to demonstrate proper measures have been put in place, one would hope that preventative internet security is being taken more seriously—but we wanted to be sure.

‘Time to Check That!’

We decided to check how companies using particular digital experience platforms group prioritize their security during development.

To conduct our test we had to build our database, which was a simple first step. We easily found almost 10,000 websites that mentioned enterprise content management systems (ECMS). There are many publicly available databases offered by Google and other providers that anyone can access if they know where to search. From the very beginning, we expected to find issues with the group of websites in our database, because well-built websites would be less likely to show up in such a query.

Although we wanted to expose the vulnerabilities that hackers could find, we also needed to make sure we were running our tests in compliance with current laws and regulations. We therefore looked for simple elements that even basic hacks can expose.

We split our tests into following groups:

  • Server configuration (exposed headers).
  • Public access to sensitive parts of the system (exposed system files or admin panels/tools).
  • Public access to well-known system extensions (extensions that should not be available on production servers).
  • Well-known software patches not applied (patches with potential security vulnerabilities).
  • Other (missing encryption, wrong application configuration).

To a software developer, none of these tests are highly complicated—no rocket science or advanced computational techniques are necessary. Despite this, the results we received highlighted vulnerabilities in an alarmingly wide range of websites, including many high-profile companies.

Exposing the Gaps in Development

Summary of the test categories performed on our 10,000-website database. Copyright Reserved, intive, 2019.

As you can see from the summary of our results, the most common issue we identified was an improper protection of fragile system parts, resulting in almost 50% of the issues found. This means that elements such as administration panels, license files, files run by administrator’s tools and files containing information about versions and configurations were publicly exposed. This information might not seem particularly valuable on its own, but they contain elements used by administrators who very often run operations on very important parts of the system. Do we really need to ask what will happen if someone finds a way to access this?

The next most common issue, taking up almost 20% of our results, was a lack of actualizations in used software, which also included missing or out-of-date security patches. Such patches are released regularly by software providers and only require simple installation, making their absence even more concerning—hackers notoriously use patch vulnerabilities as a back-door entry point. It’s hard to imagine how even the major companies in our database had not taken this basic security precaution, which sends an open-invite to their data. One can only wonder what state their computer updates are in.

Issues connected to server configurations took up 16% of our results. If we add this value to the previous point, we have 30% of servers not being properly updated and suffering configuration issues. This situation is equivalent to leaving the doors to your house unlocked. Although the doors aren’t wide open, it’s simple for hackers to check well-known software and server OS security issues. More dedicated hackers can write code that automatically runs the tests needed to find websites “ready to be attacked.” Our tests only covered the most basic elements, such as header information, but the tests can be applied to many more elements, meaning the potential vulnerabilities are even greater.

Finally, we cover more specific issues related to software under the tests and general mistakes—another 16% of the total. The most important problem was a missing SSL certificate, a lack of encryption that can expose both the company and customers’ data. It’s hard to understand why our tests found this vulnerability so frequently, considering how cheap available SSL certificates are.

Specific elements we mentioned earlier, such as additional extensions, should be hidden in production environments but were easily accessible. Usually these creep in as simple mistakes, but these simple mistakes can be very costly. The extensions are trickier for hackers to track but, if discovered, create the potential to perform very powerful actions. It’s very important to remember this and double-check if these are disabled.

Forewarned is Forearmed

Our tests highlighted the importance of increased precautionary measures during development. Internet security is often like health: It’s not until you suffer a scare that you take notice of its fragility. Similarly, as long as companies haven’t yet suffered an attack, they mistakenly believe that their security in good shape.

In June 2019, the personal data of 49 million users was stolen from Instagram. The breach is reported to have occurred through an improperly protected Amazon Web Server with a live internet connection—one of the most common issues we found during our tests. For such a major player, with robust finances and large security teams in place, leaving such a simple protocol unchecked makes it clear how security is prioritized internally. Aside from seriously damaging the brand reputation and user trust, CEO Mark Zuckerbeg is now facing direct legal action from U.S. authorities in response to the breach due to improper protection of personal data.

Meanwhile, only regular checks and preventative measures help me to sleep at night. Even if the problems are unpleasant to hear and require some work to be fixed, it’s preferable to the alternative of sleepwalking into a security crisis.

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More
Venafi
Lukasz Skowronski

Lukasz Skowronski

Lukasz Skowronski works at intive as Senior Principle Software Engineer. He has 12 years of experience in work for digital agencies and their clients. Since 2013 focused on Sitecore and digital transformation. So far Lukasz has been recognized three times as Most Valuable Professional in Sitecore community

lukasz-skowronski has 1 posts and counting.See all posts by lukasz-skowronski