Many of you may already have heard about the OpenX vulnerability that resulted in “hackers” gaining total control over some servers where OpenX 2.8 was installed. The result: the hackers were able to serve up their own ads, malicious ads, and pretty much take control of anything to do with the ads on some large websites. Pirate Bay being probably the largest of those sites. This wasn’t a direct result of OpenX code as I am told; however, it’s source code that was included in their project from another open source project and so they ultimately have to deal with the PR mess.
This is one of the risks when it comes to open source software. In my opinion, risks like this are OK: without open source software like OpenX, WordPress, etc. the web would be a different place. Open source software is a good thing. BUT, let this be a security lesson for those that build their businesses on top of open source software. How many developers had gone through this code without seeing this vulnerability? Certainly, even in proprietary software development there are security flaws, but due to their closed source it’s a bit harder to exploit security flaws.
Where there’s a will there’s a way
Software, by nature, is vulnerable. Computer systems are vulnerable. We saw this with the Twitter document leaks last year, and numerous other times over the years in the ad industry specifically. I don’t think anyone could proclaim that their software is “100% safe from an attack”. That type of statement is an open invite to have your ass handed to you (pardon the expression). What we can do, however, is be “clueful” about what our software does, where it may be vulnerable, and work to mitigate risk. And, in the event that something happens, attack the issue and get it fixed. UPDATE: … like OpenX has done, please see the comment below from Michael at OpenX.
How we mitigate risk at BSA
The purpose of this is not to brag or invite others to test our defenses. The purpose of this is to communicate to our users that we take security as seriously as we take speed, user interface, and selling ads. We work hard to run an honest business and understand how much a security breach would hurt our business – our livelihood.
- We don’t allow Flash banner ads, only JPG, GIF, and PNG. In many cases involving malicious ads, Flash is usually involved.
- An automated auditing process of our ad code. Any 3rd party script you install on your website opens the door to a potential security issue.
- Healthy security practices. This involves password rotations, and lots of SSL, Private Key’s and the like.
- Zero access. This one is common sense. We have a “zero access” policy, where only long standing BSA employees who have a direct need to access servers get access. This is also necessary for payment processing compliance.
- Proprietary software. Almost every line of BSA was written by us and where we have 3rd party “stuff” involved, we process any interaction between said 3rd party software through native BSA scripts.
- Failover procedures. We have done very well with this in the past. We have failover procedures in place that would allow us to “flip a switch” should there be any security issues.
Do you run open source software on your website? Do you have 3rd party scripts installed?
Here are some good articles to help undertand more about your websites security and what you can do to mitigate risk: