The perils of plug-n-play content management systems from the X-Force Report
As a long time WordPress user and advocate, I'm always interested to see what the X-Force have to say about the security of content management systems in their reports. The X-Force team recently released their IBM
First the good news, the percentage of reported vulnerabilities that are related to web applications has come down, at least so far, from 2012. From the report:
"The majority of vulnerabilities that the X-Force team documents are those in web application programs, such as Content Management Systems (CMS). In the first half of 2013, 31 percent of vulnerabilities that were publicly reported are what we categorize as applications used on the World Wide Web. This number is down significantly from 2012 where we saw levels at 42 percent."
And there seems to be some progress on thwarting the tried and true types of attacks. As the Figure 6 in the report shows, the number of SQL injection attacks reported decreased although cross-site scripting attacks remained about the same:
That some cause for optimism and I'd like to think that the industry is turning the corner on making these types of attacks a thing of the past. But what about CMS-type applications? The report strikes another cautious note of optimism. It seems that CMS vendors are improving their security incident response processes. From the report:
"Major CMS vendors have embraced security and do a good job of patching their core software when security vulnerabilities are reported to them. Seventy-eight percent of all vulnerabilities reported in CMS were patched in the first half of 2013, while in 2012 we saw that only 71 percent of vulnerabilities were patched. Year over year we see that these vendors are doing a better job of keeping their products up to date with the most recent security coverage."
Of course the vendor only has part of the responsibility, to issue the patches. Getting CMS application administrators to actually apply the security patches is another matter entirely. One of the reasons I'm such a WordPress fan is they a) make it easy to upgrade to the latest version and b) they have a great track record of not breaking backward compatibility when they release bug-fix releases so people will be willing to actually take a risk on installing the upgrade.
The dark-side of the CMS picture, especially WordPress, is that their architecture makes it extremely easy for third party vendors to produce extensions to the core CMS. This is probably key to their popularity and I'm sure it's key to WordPress' popularity. But these third party vendors don't have as good a track record:
Barely half of the know security vulnerabilities for CMS extensions have a patch issued by their vendor. That's inexcusable. But the practical lesson for people who deploy and run CMS systems is that every extension you add to your CMS is probably increasing the risk that your overall CMS environment has exploitable vulnerabilities for which there is no known patch. Yes, it's super easy to install the plugins, and you have to have the self-discipline to check for CVE reports and check with the vendor about vulnerability reports before you make your organization dependent on that cool plug-in you just heard about.