Websites developed by “budget” developers, without portfolios or references, tend to be plagued with critical security failures, research has shown.
For this project, the Tripwire Vulnerability and Exposure Research Team (VERT) took on a non-technical persona and hired nearly 20 developers to create a website, with bids going up to $250. Each developer’s sole job would be to provide source code for a website with specific required functions, utilizing a particular technology stack, in nine days.
Of the 17 commissioned projects, 10 websites were completed and purchased.
The researchers found that every website had critical security failures. Some notable findings were:
- Every website failed to protect any documents from unauthorized users.
- None of the websites effectively prevented hackers from uploading a PHP webshell (backdoor), which would provide them complete control over the website’s content and data.
- Several websites had authentication bypass through basic SQL injection, which would make it easy for an anonymous user to gain access and take over the server.
- Half of the websites contained SQL injection flaws that would allow attackers to manipulate website content and access customer data, as well as take control of the database server for use in other hacking campaigns.
“It came as no surprise to find that every single website was plagued with critical security failures,” said Craig Young, principal security researcher at Tripwire. “The process was riddled with communication issues and questionable practices from beginning to end.”
“If this were a real business project, it would have run over budget, past the deadline and have been very difficult to manage. On top of all that, the customer would have been left with an insecure website,” Young added. “We cannot reasonably expect data breaches to decrease if websites built by developers are not made with basic security measures built in.”
Website security considerations
While they do not recommend relying on low-budget freelance site development, here are a few tips to consider when it is necessary.
- Get a sense of whether the candidate will be well-suited for the job. Do they have experience with the necessary technology, and can they clearly restate your requirements in their own words?
- Language barriers and time zone differences also play a role, so be sure that you can clearly communicate with them and that they’ll be available during reasonable business hours.
- Beware of fake reviews or other tricks. Be suspicious of multiple reviews in a short period by the same set of people or with very similar writing styles.
- Make clear up front that a successful security review will be an acceptance criterion.
During the project:
- Discuss appropriate project milestones so that you may review the work to see that it’s progressing appropriately.
- Security should be baked in from the beginning. If you have a programming background, looking at the source to verify it uses “safe” functions consistently is an excellent idea. If not, consult with trusted partners who can help you learn what to look for.
- The finished product should at a minimum be scanned by a web application vulnerability scanner and ideally evaluated by a professional penetration tester before final payment is made. Third-party components can be a significant source of vulnerabilities as well, so it’s important to work with the contractor to create a list of all such components along with how to check for and install updates.
- A plan must be developed to delegate responsibility for keeping application and operating system components up to date and free from known vulnerabilities. Ongoing security reviews should also be performed to make sure nothing is missed and that new attack techniques do not apply to the application.