It has been reported that through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems. When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim’s servers. These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.
Working in cybersecurity is like being a musician or an athlete: no matter how good you are, you can always get better. Each of the 23 web applications has its own open source teams and its own processes for developing and testing the application.
No matter what process each of these open source teams is using, the independent assessment from South Korean academics was able to uncover file upload vulnerabilities. The same is true for all types of organisations—a fresh set of eyes, in the form of a penetration test or red team exercise, might well uncover additional vulnerabilities that you need to mitigate.
As always, the best defence is a proactive approach to security. This includes using a secure software development lifecycle (SSDL or SDLC), in which security is a consideration at every phase of development. Integrating automated security testing tools into your development lifecycle means you will be able to locate and fix more vulnerabilities before product release. Finally, having a third party examine your application from a security standpoint can uncover additional vulnerabilities and give you a chance to improve your internal process to catch similar problems in the future.