Vendor Vigilance — Keeping Eyes on Suppliers

Stephen Yagielowicz

Sometimes the biggest threats to your website’s security may come from those closest to you; such as your employees and the guys writing your code. Beyond the intentionally malicious acts of disgruntled employees or competitive “spies,” simple incompetence and incomplete training regimens can easily lead to disastrous and even unrecoverable results — underscoring the need for proper workplace education and monitoring.

Part of this training (which applies equally well to website owners) involves learning to not just install any “unknown” software application that comes your way — no matter how appealing a particular app may seem.

All the bad guys need to do is put that “free download” app or software online and wait for the fish to bite.

Stick to brand name software whenever possible and you’ll be ahead of the game. While programmers (inhouse or otherwise) have long installed “backdoors” in their code that allows them to gain entrance to a particular system, the scope of these security vulnerabilities was limited, as this access was rarely shared with others. Today, however, the ubiquity of apps and plugins from many different publishers is escalating the issue to problematic proportions.

Open Source software is a culprit in all of this: as userbases swell, the platforms will become prime targets for criminals, who have access to the source code — and a willing audience of free loaders seeking to add the latest geewhiz feature, for free.

All the bad guys need to do is put that “free download” app or software online and wait for the fish to bite. Even if your security system tries to warn you, many folks may still install the program anyway; giving it the permission it needs to carry out its attack.

Android malware attacks initiated by free app installs, for example, were up by nearly 500 percent in 2011, so this isn’t something that just happens to the other guy.

WordPress users are also at risk — due to the enormous range of themes and plugins that are so readily available and tempting to try: one click and your site has a new feature — unfortunately sometimes, those new features are harmful and have access to your FTP information and database.

Sometimes, bad coding is to blame.

For example, a school kid writes a plugin for his computer class and posts it online. Little Billy might have gotten an “F” on that project due to its massive security holes and server resource hogging; but you don’t know that, you just clicked a free download link, thinking, “that’s exactly what I need.”

Other times, professional hackers and identity thieves are at work.

It’s all a matter of being able to trust your vendors; the suppliers that provide your company with its infrastructure — and with its greatest security threat. If you don’t know your vendors, you can’t really trust them; so be careful not to fall into that “free” trap and the bulk of your worries in this regard will be over.

Just remember, when in doubt, leave it out!