Freelance workers have proven to be an extremely useful resource for many small companies in recent years, allowing for specialised expertise to be recruited when needed the most.
However a new research report from security firm Tripwire has found that using such workers, particularly for IT projects, might actually be putting your business in danger of a major security breach.
The company set up an experiment which recruited 25 freelancers to create a site for a staged project.
Each developer received the same email with the exact same criteria, with 10 contractors eventually chosen to create a finished project – however when investigated by the Tripwire Vulnerability and Exposure Research Team (VERT), every single website was plagued with critical security failures.
This included the shocking finding that every website failed to protect any documents from unauthorised users, and that none of the websites effectively prevented hackers from uploading a backdoor, which would provide them complete control over the website’s content and data.
“It came as no surprise to find that every single website was plagued with critical security failures,” said Craig Young, principal security researcher at Tripwire.
“The process was riddled with communication issues and questionable practices from beginning to end.”
“If this were a real business project, it would have run over budget, past the deadline and have been very difficult to manage. On top of all that, the customer would have been left with an insecure website,”
Young added. “We cannot reasonably expect data breaches to decrease if websites built by developers are not made with basic security measures built in.”
In order to not fall victim to the same flaws, Tripwire is advising companies looking for a new website or other related projects to be more thorough in the recruitment process, especially when looking at contractors from other time zones.
The firm also recommends scanning all finished projects with a web application vulnerability scanner at the very least, and ideally also look to get evaluation by a professional penetration tester before final payment is made.
No comments:
Post a Comment