Going over this January’s IT and e-commerce news, it was dominated by evil tidings about security issues in this or that web based system. In quick succession, different web applications were on the “security advisory” news: PHPMailer, Magento and Shopware.
In a matter of fact, none of the software vendors (not talking about delivering commercial or open source software) is immune to security bugs. The question is, how the software vendor deals with it.
I personally saw a lot of kinky stuff in the mean time: software vendors calling a patch update fixing six possible XSSes a “security improvement”, others to call the patch release a “security update”. All of these nice words are hiding and obfuscating the real thing: there’s a security problem with the application. The fix for it has to be delivered immediately to the users and clients together with a clean, sweeping and transparent announcement.
Why users don’t move either?
- In case we are talking about clients, it is easy: there is a business (contract) between both parties, and most likely the vendor possesses contact information of his client. It’s harder in case we’re talking about users (e.g. of open source software): often there’s no contact information available. Any announcements made to the community will be picked up by active community members only, which is usually a small percentage of all users.
- Even if the client or user came to know about this security issue, he tries to avoid the costs or time for implementing the fix. We often hear the lame excuse “Who should be interested in my clients?”.
- Nearly all web applications nowadays allow to add functionality via modules (plugins) and offer overwriting methods, for example for templates and language files. If the developer isn’t skilled enough to use it, the project is running the risk of losing it’s updatability.
- The longer one waits with an update to the latest version, the more painful, time and cost consuming it gets. Especially in cases of security issues it is sometimes necessary to react within hours. In these cases, you can simply patch your installation immediately if you were already running the version before.
I am referring especially to this (German) notice: https://www.heise.de/newsticker/meldung/Ueber-1000-deutsche-Online-Shops-infiziert-und-angezapft-3592281.html
This press release is based on a PR notice of the BSI (German Federal Office for Internet Security) saying that at least 1.000 German online stores are still or once again affected by a security issue in Magento that was fixed and published by the vendor in October last year: With this security issue in older Magento versions, it is possible for attackers to “skim” user data including credit card numbers etc. The shop owner as well as the user of this website wouldn’t even recognize this fraud.
Unfortunately, it is legal to replace any CMS or shopping cart software name with “Magento”.
In this case, the vendor did everything to inform the users of his software. Also, press releases pointed to this flaw. Integration agencies urged their customers to update – with a lukewarm success: although these shopping cart owners are responsible for their own and their client’s data, they simply refuse to release the budget for updating their online application, and may at the earliest wake up when their web application, their online store, the tool they make money with, doesn’t work anymore.
This is my burning desire to all ye guys running an online business on the basis of a web application:
- Calculate a maintenance budget when you start your business that allows you to always stay at least close to the present stable release!
- Take security issues more serious and start bearing responsibility for your clients! Even if there’s nothing to see or your application is still running properly, there might be hidden attacks, intended to steal your customer’s data.
- Use the offered information channels! Most vendors offer the possibility to register for any informational channel of your choosing. This might also work selectively like in these examples: https://oxidforge.org/en/shop/news/feed for general important news or https://oxidforge.org/en/shop/development-security/feed for information about security issues. This way you don’t have to be part of the active community and still gather these important information.
Please feel free to drop a comment if you see different aspects or want to add something.