Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS).
Q: What are the most serious challenges and trends you are seeing with website security?
At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period.
As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure.
Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low.
So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt.
Q: Can just buying products really fix website security?
No. Technology alone will never be the solution; just buying a product won’t work at any level of security.
Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture.
Q: What do you think about OWASP and other organizations that are focused on web application security?
I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues.
Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently?
The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spread on what it takes to secure a WordPress site. This makes it extremely difficult for website owners to parse through the noise.
It’s very difficult to think through a strategy of parsing through good and bad information without diving into critical thinking and security knowledge.
The big thing I want website owners to think about, whether WordPress or another platform, is that they need to account for security when pushing their site live. Forget the "5 minute install" and focus on deploying it properly. Harden the server, PHP, and the web server and the application itself (e.g., WordPress, Drupal, etc.). Deploy tools to monitor its integrity, look for changes, watch the logs and be aware about what is happening there.
Q: It seems like CMS in general aren’t designed with security in mind up front. I was trying to troubleshoot a problem with our CMS recently and found out there really aren’t any log files available, aside from user logins / logouts and time content is submitted. Any thoughts on how security-conscious companies should deal with CMS?
Oh yes. One of the major complaints by many of us in security is exactly that. They often undervalue things like auditing and logging. It was such a problem, that for WordPress we built our own open source security plugin to help website owners log all the application logging activity (i.e., file changes, log ins, failed logins, plugin installations, new posts, etc.).
What's very useful for AlienVault USM users in that you can also push the audit trails to log files and have it monitored by log management tools and stored centrally.
Note also that security is a very broad term. CMSs are generally led and built by developers, so their focus is on the security that they see on their day to day and affects them - mostly secure development (to prevent vulnerabilities). They tend to forget that security is a lot more complex and requires more considerations.
Q: So, your company provides malware and DDoS protection. How would that mesh / integrate with a SIEM or a full threat detection solution like AlienVault USM / OSSIM?
It would mesh perfectly.
We actually offer website owners a suite of security tools as part of the platform. That includes things like continuous security monitoring, incident response, DDoS mitigation and exploitation prevention. Each of these tools can be integrated into any threat detection solution by outputting the results of each tool, providing your team full visibility. To facilitate this, we’ve built a fully extensible platform via API’s that allow our customers to export logs from our protection and monitoring solutions directly into SIEM or USM solutions.
Q: What are the big challenges with DDoS that interest you, in light of the recent DDoS on Brian Krebs’s blog? Are new technologies needed?
DDoS is generally a fight of pipes. Whoever has more network capacity wins, at least when we’re talking about volumetric attacks. That's a big challenge for most companies, they can never keep up with the capacity that the attackers have. You can buy DDoS appliances and push it to your network, but if the attackers can send more packets that your routers can handle, you are off. Shift this conversation to application DDoS attacks, and now things get a bit more complicated. Now we’re talking about resource consumption at the end point and application, requiring a very different level of skill and technology.
That's why I think the only way to handle DDoS is by using Cloud-based providers. The current technologies can handle it very well as long as they can keep adding more ports and bandwidth.
Q: Tell me more about yourself – a few things most people don’t know ☺
Well, many people don’t know this but I’ve been a BJJ practitioner for over 10 years (currently a brown belt).
I spend a tremendous amount of time and energy thinking about the space, specifically the latest trends.
I strongly believe in open-source principles and technical collaboration, regardless of who you work for. I believe that while we might be competitors, we should work to find a balance on ways we can work and share information. In the end, we’re all working towards the same end-game.
I’m also extremely passionate about logs and believe them to be one of the greatest undervalued assets within any organization's security apparatus; it’s why I originally built OSSEC.
I don’t listen to music, but love my AM radio talk shows.