As more company websites run on open source applications like Drupal and with corporate blogs powered by WordPress, more victims may suffer from hacks and costly exploits. Learning jQuery learned this lesson the hard way. Before they took a serious look at hardening the open source platform, embarrassing and costly attacks wrought havoc. Other companies that haven’t taken proper precautions to insulate themselves against such threats could face the same fate.

We’ll highlight some security issues that open source Web applications pose and propose solutions if you’ve considered making open source applications part of your business.

Common vulnerabilities in open source Web applications

Like you, hackers love that open source Web applications are free and provide easy access given their “open” source code. If, for example, a hacker can deploy a script to steal information or take control of a Web application on a single piece of hardware, he can easily reproduce these devastating results to affect multiple users or multiple websites that share the same code base. Here’s why:

Locking down open source Web applications
Knowing is half the battle, and there are many tactics to lock down open source Web applications. To succeed in your online business and gain the trust of end users, proper protection is paramount.

Let’s use Learning jQuery, a customer of FireHost, as a backdrop for discussing common breaches to open source and what can be done to achieve better protection for the rest of us. They experienced a SQL injection that exploited an open security vulnerability in the database layer of WordPress. WordPress and other content management system (CMS) providers work hard to stay ahead of SQL injection vulnerabilities by addressing them proactively via patches. Unfortunately, Learning jQuery’s site was an early victim of this particular problem.

A number of techniques can help prevent your open source powered web application from falling victim to attacks like these:

• Application hardening (includes OS and databases) Operating system and database installations should be completed carefully. Avoid default settings and maintain strict permissions controls. Rewrite file extensions to mask the application type, and remove all unnecessary functions and features to close as many virtual “holes” as possible. Additionally, patch, patch, patch. Particularly in an open source environment, updates go far in preventing compromises. The same rules also apply to scripting languages that may be used on your server.
• Server hardening Remove information (such as response headers) that could help a bot or hacker identify the version and type of application running on a server. Patch and perform frequent manual checks of server logs to help identify unusual occurrences.
• Strong passwords and access controlImplement passwords containing alphanumeric, uppercase, lowercase and special characters, and never use dictionary terms. Additionally, reset them regularly. Control access to administrative passwords and grant database credentials only on an as-needed basis. Never use an SA or root account for the database user, block all public and port access to site administrator areas, and refrain from opening up a server to any ports, except 80/443 because these ports are required to transmit web pages over HTTP or HTTPS respectively.
• System log monitoring Watch your system logs closely and ensure that no unauthorized login attempts are successful. Run vulnerability audits and scans on your application regularly (quarterly at minimum) to help identify threats, breaches and suspect activity quickly.

Cyclically, hackers innovate and adapt while CMS providers just try to keep up. Web application firewalls (WAFs) help bridge the gap between hackers’ innovation and CMS providers’ patching. WAFs inspect Web traffic before it can reach the code and block suspect visitors from reaching your services. The ability to block an attack increases exponentially when WAFs team up with intrusion prevention and intrusion detection systems, and other network-level barriers. Had this type of network-layer protection been in place, Learning jQuery’s site might have never experienced an onslaught of malicious attacks.

Keeping open source Web application breaches at bay

The growth and popularity of open source content management systems have changed the security landscape and made traversing it more perilous. But with the help of a developer or technical engineer experienced in securing Web applications (and their hosting environment), you can implement these methods and keep cyber-thieves at bay. With proper precautions, attention to detail and commitment to maintaining your open source websites, companies that use (or plan to use) open source Web applications can have a successful and fruitful run.

SIDEBAR:

More on web application and Linux security:

Installing the ModSecurity Web application firewall on Red Hat Enterprise Linux

Common security flaws to check for on your Linux-based Web systems

Linux security guide: Linux, open source security tools and tips

A look at real-world exploits of Linux security vulnerabilities

A version of this article was published in TechTarget.

SXSW Interactive is a “must attend” event for developers, designers, web marketers, and anyone else who does business online. Last year, almost 40,000 registered to attend, and 2011 is projected to be even bigger. The schedule reveals numerous opportunities for attendees to interact with the brightest minds in emerging technology. Networking events. Speaking events. Live music. A tradeshow. SXSW covers the whole gamut.

FireHost is vying for a speaker placement, and we need your help getting picked. If you’re planning to attend SXSW and have concerns about the security and integrity of your personal or corporate identity online, cast your vote for our presentation at Panelpicker.sxsw.com.

Our proposed topic answers the questions:

1. How is the security landscape changing online?
2. Is building a corporate blog on  and open source platform like WordPress safe?
3. How could some of the devastating hacks like TechCrunch have been avoided?
4. How do I find security vulnerabilities in my web application?
5. What role does secure web hosting play in keeping my site safe?
6. What are the most common developer mistakes that lead to cybercrime in open source?

Read the full synopsis and cast your vote at Panelpicker.sxsw.com.

We’ll see you in Austin.

In fact, websites that incorporate these features accounted for 21% of hacking incidents reported in the first quarter of 2009. The top threats to “socially enabled” websites are SQL Injections (21% of attacks), Authentication Abuse (18%), and Cross Site Request Forgery – CSRF (8%).

“Businesses often use open source applications like Community Server, WordPress, and Drupal to integrate social features into their websites. Every enterprise deserves the ability to keep content fresh by using blogs and forums. It’s great for marketing and user retention. We help facilitate these mediums by addressing vulnerabilities in open source software all the way from module installation to hosting,” encourages FireHost CEO, Chris Drake.

FireHost CTO, Kevin Wall explains why a holistic approach to site development and hosting is important.

“Often the application itself isn’t unstable; it’s the add-ons and plug-ins site owners use to extend the installation that cause problems. Our engineers are well-versed in the nuances of open source platforms. We’re different because we can help you navigate thru the many open source options available and determine which will achieve your marketing goals. Finally, we install open source applications in a way that helps protect you from hackers.”

To learn more about how FireHost can help secure your favorite open source platform, visit our secure platform hosting page.

“In 2009, we see three key trends that could impact IT security – a continued explosion of new malware variants, advanced web threats, and an uptick in threats related to social networking sites.” Mr. Salem reinforced that “cybercriminals are more sophisticated and driven than ever, and they operate in an increasingly profitable underground economy that makes it easy for them to not only buy and sell stolen information such as credit card data or even identities.”

Data from Symantec’s Global Intelligence Network indicates we have reached the point where there are more malicious programs created than legitimate programs every day, and that cyber attackers leverage vulnerabilities fueled by application code. Hackers compromise specific (often open source) websites, and then use them as a means for launching other attacks across the internet.

Hosting websites in a secure environment helps prevent malicious hackers from breaching files and applications and stealing confidential information, but you can to more to protect your identity. Partnering with a web host who also has expertise in website security is critical. FireHost’s team of security engineers works directly with clients to help identify and close vulnerabilities in programming and design that hackers can use to exploit your company.

To learn more about how we help remedy JavaScript and open source vulnerabilities, visit our Services page.