Packages and Modern Security

Security in web applications is getting really, really weird.

We’re seeing security breaches in major companies on a constant basis nowadays. Our personal information is getting leaked, all around the world, all the time.

From my personal experience - I also feel that web applications are, paradoxically, the most secure they’ve ever been.

The Before Times

Before I started programming, I audited the security of web applications for bug bounties.

At that point it seemed like pretty much everyone had their own, custom-written, PHP-driven CMS. They were solving security with hacked-together regular expressions that removed unwanted text from inputs (if they thought at all about security).

SQL Injection and XSS vulnerabilities were easily found many websites and a lot of people were just learning about the importance of hashing passwords.

The Rise of the Frameworks

Wordpress came along and started changing everything.

Suddenly, website owners had a default level of security. They didn’t need to know as much about SQL Injection or XSS or CSRF or null-byte injection or any of the other various ways web applications could be attacked.

Use the framework, follow the documentation, and everything would be fine.

I use Wordpress as an example of a larger movement towards prepackaged, large, customizable web applications as a basis for a website. There were phpBB forums, wikis, re-skinned web games, turnkey Facebook/Youtube clones…. Many large CMS systems and frameworks became popular.

The Flaw

Then was the rise of the 0-day exploits on the web. They took advantage of the wide distribution of this prepackaged software and used these exploits to attack large numbers of applications, many databases and servers, that all had the same bug.

It seemed like an all-out digital war for a while. Major Wordpress exploits were being revealed every other day. Remote code execution and SQL injection exploits were everywhere and very well known. If you didn’t keep your CMS up-to-date, you had a bulls-eye on your back.

The Turning Point

But then, slowly but surely, the frameworks started to win the war. Ongoing efforts of the major CMS and framework providers accrued and finally hit a turning point. Exploits came out slower and were often of less severity or were less widespread.

Frameworks continued to become the norm and helped to make the web more secure by default.

But, as the web became more complex, plugins to those frameworks became popular.

The Rise of the Packages

Giant frameworks were never designed to handle all the complex needs a webmaster could dream up. They were built as a foundation that could be customized by plugins or packages to create more complex or niche behavior.

The Flaw

The problem was that these packages were often thrown together and sold by a single person or small group of programmers.

We were back to same problem we had with custom-coded scripts.

Even today - not many programmers have security training and it’s not a mandatory part of many education systems. These plugins were just as insecure as the websites that preceded frameworks.