Note to CSO: why companies don’t remediate vulnerabilities

A recent survey by WhiteHat Sentinel contains some industry data on factors that inhibit companies from remediating vulnerabilities.  Here is a summary of the research

1)  Lack of understanding and/or responsibility for maintaining the code

2)   Lack of knowledge, understanding or respect for the vulnerability

3) A third party vendor is responsible for the effected code and that vendor is unresponsive

4) Insufficient budget to address vulnerability

5) The risk of exploitation is acceptable and/or it is not a priority based on compliance

6) The solution conflicts with the business use case

 The full report is available here.

 

How vulnerable is your WordPress site to attack?

A company called Checkmarx has released a report on the vulnerability of WordPress to attack. Some of the data should be of concern to those companies that rely on wordpress to host their website or blogs. Here is a summary of the findings:
• 40% of the top most popular plugins are vulnerable to common web attack such as SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
• 70% of the most common e-commerce plugins are vulnerable.

The report authors provide the following prescriptive guidance for web administrators:

1. Download plugins only from reputable sources. For WordPress, this means WordPress.org

2. Verify the security posture of the plugin by scanning it for security issues

3. Ensure all your plugins are up to date

4. Remove any unused plugins

Please following this link to access the full report: http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf

Why SSL does not protect web applications

The purpose of Secure Socket Layer (SSL) is to manage the security of message transmission on the internet. SSL certificates can be purchases from a reputable certificate authority (CA) such as VeriSign, and Comodo. SSL has some clear benefits (encryption of messages prevents network spinning and without a valid SSL certificate it is hard for phishers to use phishing sites that resemble legitimate sites). However, use of SSL does not address the threat from a malicious cyber-attack targeting a web application itself. There is also ample evidence that some attackers prefer to attack the web applications of SSL secured web applications because the encrypted channel may obscure their malicious behavior from many of the standard commercially available scanning applications.