Risk
8/25/2010
05:03 PM
50%
50%

Careful With That Third-Party Web Widget

Smaller businesses are more likely to use third-party Web applications on their websites -- and they are less likely to scan such code

Small- and midsized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack.

The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox.

As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.

"Over the past five years, Web 2.0 has taken the world by storm," says Neil Daswani, chief technology officer of Web scanning firm Dasient. "As a website administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets."

Network Solutions is not the only Internet company to inadvertently host malicious code on its website. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other websites -- such as Snapple.com, BusinessWeek and Fox News -- have had to deal with similar problems, Daswani notes.

The impact on a business hosting rogue code on its website can be dramatic and long-term. If Google flags a site as malicious because it's hosting rogue code, traffic can drop by as much as 95 percent, Daswani says. "We have received feedback from customers that even when the resolve the issue and their site is un-blacklisted, there still is an impact on their traffic," he says.

Solving this issue is not easy. There is no standard or accepted way to certify that code is safe and secure, says Andy Chou, chief scientist for code scanning firm Coverity. "In other industries, there are certifications for certain quality measurements of the products," Chou says. "There are lots of ways in other industries to show the consumer what they are getting. In software, there is nothing like that -- the users have to test it themselves."

Companies should scan programs for malicious software or Trojan horses on a regular basis, security experts say. Developers can use a static scanner to scan source code for security vulnerabilities. Run-time scanners and antivirus scanners can be used to detect malicious activity in widgets and programs before they are posted to a website.

However, the sites should be checked frequently as well, says Wayne Huang, chief technology officer of site-scanning firm Armorize. "A combination is a good approach," Huang says. "Source-code scanning has its limitations, but so does honey-client-type Web scanning."

Security experts don't expect more companies to regularly scan their sites until a larger number suffer from issues similar to Network Solutions.

"This is an area that people are only now waking up to," says Coverity’s Chou. "From our experience with software development organizations, all of them have substantial portions of their resources built by third parties ... Anywhere where software is used, it is put together from different sources."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.