In recent years, a host of third-party technologies have come along to help developers more easily create eye-catching, interactive sites. These tools helped knock down the barriers to entry for web development and enabled small businesses to create the same types of cutting-edge sites as large corporations.
But as the internet democratized and evolved, so did hackers. Cyberattacks have increased in frequency and complexity, often targeting these same third-party tools that can be helpful and necessary.
Each year, the Cybersecurity & Infrastructure Security Agency (CISA) publishes a list of the top ten most routinely exploited vulnerabilities. Microsoft products dominated the 2020 list, accounting for 8 of the top 10, mostly due to the massive shift to working from home as a result of the pandemic.
But Microsoft wasn’t the only target for cyber criminals. CISA lists a number of other common web development platforms, such as Apache Struts 2 and Drupal, all experiencing their own vulnerabilities in recent years.
The increase in cyber attacks has made it essential for website owners to pay close attention to the tools used during web development. Crucially, site owners need to suss out any technologies that might leave vulnerabilities for malicious actors to take advantage of, thereby putting your visitors in danger. With danger comes distrust, something small business owners can’t afford to gamble with.
Here are four particularly vulnerable web development technologies and some tips on how to deal with them.
Those around for the golden days know that the early, wild west era of the internet was built on Flash. Upon its release in 1996, Adobe Flash enabled amateur designers to create videos, games, and interactive websites, helping to make the internet experience more fun and interesting.
Back in the good old days of Flash, the internet was a wonderland, a sandbox for digital creativity. But it wasn’t long before hackers figured out the platform’s weaknesses and stopped the party cold.
Over the past two decades since its creation, Flash has been plagued with massive vulnerabilities, even compared to other open-source technologies. The National Vulnerability Database tallied 1,222 vulnerability reports for Flash Player since 2002, with the most recent occurring in 2020 and receiving the highest possible threat rating.
In 2017, Adobe announced that they would phase out Flash, with its official death knell arriving on December 31, 2020. While users are no longer able to update Flash, there still remain many websites with Flash elements present, despite the security risks involved.
Due to its irrelevance and weak security, it’s time to retire Flash once and for all. Flash had a good run, and it helped make the internet what it is. However, it’s services are no longer needed.
Pro Tip: Flash may be gone, but its spirit remains. HTML5 has become the new standard, performing many of the same tasks as Flash, while being more customizable and compatible with mobile devices. As opposed to Flash’s closed, proprietary system, HTML5 is an open source solution for creating video, audio, web applications and more. Due to its ease and security, HTML5 has been adopted by most browsers and social media sites, including Facebook and Youtube. Google even announced in 2019 that they would ditch Flash in favor of HTML5 on its browsers, further delivering the death blow.
Apache Struts 2
Apache Struts 2 is a popular open-source framework for creating web applications in Java. Released in 2013, Apache Struts 2 boasts the ability to “help developers create flexible, maintainable, and secure web applications,” and features integrated elements ideal for enterprise web development.
While Apache Struts 2 remains popular, it’s been host to a number of vulnerabilities in recent years. Apache Struts 2 first received infamy a few years ago after playing a role in the massive Equifax data breach that put 143 Americans’ data at risk. In that case, hackers exploited a loophole in Struts’ parsers, called Jakarta, which enabled hackers to remotely run malicious code.
The Equifax breach occurred in 2017, but Apache Struts 2 has experienced additional vulnerabilities since then, such as a similar loophole found in 2018. The latest vulnerability occurred in December 2020 with the discovery of forced OGNL, an expression used by Struts, that could enable Remote Code Execution.
Pro Tip: Hearing all these scary stories might urge website owners to want to migrate to an alternate framework such as Spring, Node.js, or Django. However, migration is costly, both in terms of resources and time, and may not be necessary. Migration means learning a whole new framework and may put your site at risk due to unknown vulnerabilities existing on the new platform. Due to its ease of use and popularity, it may be worth sticking with Apache Struts 2, with an attitude of caution.
Apache Struts 2 provides a running list of security bulletins to address ongoing vulnerabilities and other security issues that arise, along with links for security upgrades. Be sure to check in frequently because new issues pop up all the time and you don’t want to be left vulnerable.
Similar to Apache Struts 2, Microsoft’s .NET framework allows developers to create web applications for desktop and mobile. The creation of .NET in 2002 was intended to relieve developers of low-level security and management tasks, while providing an integrated interface.
In 2014, Microsoft released .NET Core, a cloud-friendly, open-source version of the framework and eventually united its entire platform in 2019 with the release of its .NET 5.0 development platform. The platform was easy-to-use and quicker to learn than Apache Struts 2, but also possessed some unwanted security loopholes. Stack.Watch tracked over a dozen vulnerabilities hitting the .NET Core framework from 2018-2020, the latest being a zero-day bug widely exploited by hackers.
Despite the scary news, Microsoft has done a good job of patching these vulnerabilities as they occur. The .NET platform continues to be a valuable tool for web developers and is safe to use as long as website owners stay vigilant about updates.
Pro Tip: In February, Microsoft released a patch of security updates as part of their Patch Tuesday event. The updates fix 56 security vulnerabilities, including the aforementioned zero-day bug. As always, stay updated and stay safe.
Drupal is a widely-used, open-source web content management platform that provides a back-end framework. While similar to other CMS platforms like WordPress, Drupal offers more expanded customizability, making it the go-to platform for university systems nationwide, along with corporations like T-Mobile, Best Buy, and NBC.
As one of the largest content management platforms, Drupal is a constant target for malicious cyber criminals, always on the hunt to find an undiscovered hole in the platform’s security. While Drupal has gained a reputation for safety and employs various means for additional security, vulnerabilities still occur, with the most common being remote code execution.
Drupal experienced its first wide-ranging vulnerability in 2014 when a SQL issue was discovered, later dubbed “Drupalgeddon.” The Drupal security team gave the SQL vulnerability a 25/25 on its threat scale, signaling a highly-critical state. The vulnerability was quickly patched up, but didn’t prevent 2018’s “Drupalgeddon 2,” a Remote Code Execution vulnerability affecting Drupal versions 6, 7, and 8.
Pro Tip: Despite Drupal’s history of vulnerabilities, they’ve done a good job of quickly providing patches and security updates. Drupal posts an updated list of security advisories on its site, along with the specific updates to remedy the issue. In addition to keeping up on the latest updates, it’s also helpful to use HTTPS to add an additional layer of security to your site.
Trust and Vulnerability
As a website owner, you are expected to keep your visitors safe from any potential attacks by malicious actors. Typically, one data breach is all it takes to lose all the trust you’ve cultivated with your users, making it essential that you stay up on your site’s security and understand the risks coming from third-party technologies.
By understanding which technologies may present security issues and how to fix them, you’re taking a proactive approach to keeping your visitor’s safe, a fundamental factor in developing your site’s digital trust. To go a step further, consider getting your DigitalTrust Trust Score, which scans your site for over 50 trust factors including usability, safety, reputation, and transparency. Based on your site’s trust score, you may qualify for a free trustmark, a clear visual indication that a third party has deemed your site trustworthy.