It may be a little sneaky, but Cyber Security researchers at security, compliance and IT firm Tripwire went undercover to expose malpractice amongst freelance designers.
Tripwire’s security boffins created a “non-technical persona” and placed an ad asking freelancers to create them a website. They received 25 offers, of which 17 were commissioned, with bids ranging up to $250 for the work.
Each of the developers was given the same emailed instructions, and then the fun began.
In the end, only ten completed projects were purchased, and every single one, Tripwire say, “was plagued with critical security failures”.
What were they? Not one of the websites protected documents from unauthorised users; none effectively prevented Tripwire’s team from uploading a PHP Webshell, and several were guilty of “authentication bypass through basic SQL injection” which means that “a completely anonymous user could gain access and take over the server.”
Not only that, says Tripwire, but “deceptive practices and communication problems were aso prevalent throughout our interactions with the contractors.”
Several designers attempted to secure payment outside of the hiring system to avoid giving a cut to the site they pitched for the work from, whilst others tried to split their payments across two or three separate jobs, allegedly to “inflate” their completed jobs stats, and improve their ratings on the hiring platform.
“It came as no surprise”, said Craig Young, principal security researcher at Tripwire, “to find that every single website was plagued with critical security failures; the process was riddled with communication issues and questionable practices from beginning to end.”
So, what do Tripwire advise? First of all, don’t hire low budget designers for your website. But if you have to, or it is too late to back out of a deal, try to find out precisely what the developers experience is – can they “clearly restate your requirements in their own words?”
Be aware of language barriers and time-zone differences; can you communicate with the developer at a convenient time? Be aware of fake reviews, and be suspicious of “multiple reviews in a short period by the same set of people or with very similar writing styles.”
Oh, and “make clear up front that a successful security review will be an acceptable criterion.
Don’t get fooled again!
To paraphrase George Bush Jr; there’s an old saying in Tennessee; fool me once, shame on you, fool me twice, shame on me.
During the project, Tripwire advises, discuss appropriate milestones, and always make sure that security is “baked in from the beginning”.
And when the project completes, make sure you have your wits about you. Have the finished project scanned by a “web application vulnerability scanner” and if possible, “evaluated by a professional penetration tester before final payment is made.”
Going forward, you will also need to make sure that ongoing security reviews are completed; says Tripwire: “a plan must be developed to delegate responsibility for keeping application and operating system components up to date and free from known vulnerabilities.“
Surprise surprise, it seems cutting corners doesn’t pay. If you are a web-based company or a company that relies heavily on online traffic to make sales, you will not want a poorly built, vulnerable website.
It pays to be hands on. Thanks to Tripwire, you have been warned!