As more company websites run on open source applications like Drupal and with corporate blogs powered by WordPress, more victims may suffer from hacks and costly exploits. Learning jQuery learned this lesson the hard way. Before they took a serious look at hardening the open source platform, embarrassing and costly attacks wrought havoc. Other companies that haven’t taken proper precautions to insulate themselves against such threats could face the same fate.

We’ll highlight some security issues that open source Web applications pose and propose solutions if you’ve considered making open source applications part of your business.

Common vulnerabilities in open source Web applications

Like you, hackers love that open source Web applications are free and provide easy access given their “open” source code. If, for example, a hacker can deploy a script to steal information or take control of a Web application on a single piece of hardware, he can easily reproduce these devastating results to affect multiple users or multiple websites that share the same code base. Here’s why:

Locking down open source Web applications
Knowing is half the battle, and there are many tactics to lock down open source Web applications. To succeed in your online business and gain the trust of end users, proper protection is paramount.

Let’s use Learning jQuery, a customer of FireHost, as a backdrop for discussing common breaches to open source and what can be done to achieve better protection for the rest of us. They experienced a SQL injection that exploited an open security vulnerability in the database layer of WordPress. WordPress and other content management system (CMS) providers work hard to stay ahead of SQL injection vulnerabilities by addressing them proactively via patches. Unfortunately, Learning jQuery’s site was an early victim of this particular problem.

A number of techniques can help prevent your open source powered web application from falling victim to attacks like these:

• Application hardening (includes OS and databases) Operating system and database installations should be completed carefully. Avoid default settings and maintain strict permissions controls. Rewrite file extensions to mask the application type, and remove all unnecessary functions and features to close as many virtual “holes” as possible. Additionally, patch, patch, patch. Particularly in an open source environment, updates go far in preventing compromises. The same rules also apply to scripting languages that may be used on your server.
• Server hardening Remove information (such as response headers) that could help a bot or hacker identify the version and type of application running on a server. Patch and perform frequent manual checks of server logs to help identify unusual occurrences.
• Strong passwords and access controlImplement passwords containing alphanumeric, uppercase, lowercase and special characters, and never use dictionary terms. Additionally, reset them regularly. Control access to administrative passwords and grant database credentials only on an as-needed basis. Never use an SA or root account for the database user, block all public and port access to site administrator areas, and refrain from opening up a server to any ports, except 80/443 because these ports are required to transmit web pages over HTTP or HTTPS respectively.
• System log monitoring Watch your system logs closely and ensure that no unauthorized login attempts are successful. Run vulnerability audits and scans on your application regularly (quarterly at minimum) to help identify threats, breaches and suspect activity quickly.

Cyclically, hackers innovate and adapt while CMS providers just try to keep up. Web application firewalls (WAFs) help bridge the gap between hackers’ innovation and CMS providers’ patching. WAFs inspect Web traffic before it can reach the code and block suspect visitors from reaching your services. The ability to block an attack increases exponentially when WAFs team up with intrusion prevention and intrusion detection systems, and other network-level barriers. Had this type of network-layer protection been in place, Learning jQuery’s site might have never experienced an onslaught of malicious attacks.

Keeping open source Web application breaches at bay

The growth and popularity of open source content management systems have changed the security landscape and made traversing it more perilous. But with the help of a developer or technical engineer experienced in securing Web applications (and their hosting environment), you can implement these methods and keep cyber-thieves at bay. With proper precautions, attention to detail and commitment to maintaining your open source websites, companies that use (or plan to use) open source Web applications can have a successful and fruitful run.

SIDEBAR:

More on web application and Linux security:

Installing the ModSecurity Web application firewall on Red Hat Enterprise Linux

Common security flaws to check for on your Linux-based Web systems

Linux security guide: Linux, open source security tools and tips

A look at real-world exploits of Linux security vulnerabilities

A version of this article was published in TechTarget.

DrupalCamp’s mission is to bring Drupal users and developers of all levels together to discuss and connect with other Drupal enthusiasts.

A variety of topics will be covered by great Drupal experts attending the conference:

• Accelerated Grid Theming – NineSixty, by Nathan Smith and Todd Nienkerk
• Theming from a Developer’s Perspective, by Lauren Roth
• Is Drupal Right for My Website, by Lee Raney

FireHost will be speaking about Drupal’s vulnerabilities and offer suggestions on how to secure your Drupal installation at the closing presentation, so make sure you stick around for the whole event. You can view the full event schedule here.

Registration is only $30, so reserve your spot at drupalcampdallas.org today.

Drupal’s Massive Appeal to Companies
The list of entities using Drupal includes large companies, like Sony and Warner Brothers. Organizations such as Human Rights Watch and the federal government’s Recovery.gov use Drupal too. The reasons for Drupal’s widespread appeal are many. Aside from being completely free to use, Drupal’s open source nature encourages active enhancement by thousands of developers around the world. The bottom line is simple, Drupal is constantly becoming better and better, without costing a dime.

The vibrant Drupal developer community includes dozens of “Drupal Camps” throughout the world, each with hundreds of attendees. Hosted by experienced Drupal users and developers who volunteer their time and knowledge, these camps are designed to foster innovation of the Drupal platform, educate new users, and spread the use of Drupal among web developers.

The Downside of Open Source Platforms
As beneficial as Drupal is when developing and managing your website, it is vulnerable to web application exploitation by malicious hackers. Since the Drupal source code is freely available to anyone, hackers have scoured the code for ways to exploit websites that use Drupal. The result can be devastating, including theft of private company and customer information.

FireHost Helps Secure Open Source Solutions
FireHost specializes in protecting websites and open source applications like Drupal from exploitation by malicious hackers. We use advanced web application firewalls, intrusion detection systems, and intrusion sniffing protocols to prevent attacks and exploitation before it starts. Our industry leading security measures allow you to confidently embrace all the wonderful aspects of Drupal, without the constant worry that accompanies the threat of malicious attacks.

FireHost is firmly dedicated to the idea every business and individual deserves the opportunity to conduct business and express themselves online without the risk of an attack by a hacker. Using Drupal to develop and manage complex website applications, with the security promise of FireHost, provides dynamic content for your website. To get started, contact a FireHost Agent today.

Drupal is a powerful and popular open source CMS (content management system) which enables users to build and showcase dynamic website applications. Becoming a favored tool in website development, Drupal is utilized by thousands of companies, such as Yahoo, Warner Bros, and The New York Observer. Equipped with a powerful blend of features, Drupal supports a variety of websites ranging from personal weblogs to large community-driven websites.

By using Drupal plug-ins, your website can provide beneficial features such as an internet forum, blogging platform, customizable layouts, individual user accounts, RSS feeds, and many more exciting possibilities. Since Drupal is an open source application, it is completely free to use, making it essentially a “priceless” CMS.

As with all open source applications however, security can be a drawback. Since Drupal’s code is readily available to anyone, hackers have an easy opportunity for exploitation and malicious attacks. If your hosting provider doesn’t provide adequate protection and prevention, your website will be at risk. Traditional firewalls only provide network-layer protection, leaving website applications vulnerable to exploitation. FireHost addresses this security risk by providing three layers of application security.

For our clients, this means an easily managed and content-rich website thanks to Drupal, and the “sleep at night” confidence which comes with FireHost secure hosting. More information on secure Drupal hosting is available on our website.