When it comes to improving the security websites one of the major roadblocks we see is that often the security industry is pushing people in the wrong direction, a direction they themselves are heading. Instead of focusing on security basics they are pushing people to more advanced solutions, which are not necessarily better than doing the basics. As an example of that take Trend Micro that decided instead of keeping WordPress up to date with security updates (which normally are applied automatically) they would try to use some solution to block attacks, which didn’t stop one of their websites being successfully attacked. Even after that, they didn’t update WordPress, which would have prevented any chances of the attack being successful in the first place.
The other day we came across Cloudbric, which “is a cloud-based web security service” when they helped to spread false web security information put out by SiteLock and the repeated by SC Magazine. We were curious as to what kind of web security company would be unaware that they were spreading information that was rather obviously false and went to take a look into them we found that they were also running an outdated version of WordPress on their website, while misleading people about what protects websites.
The company claims that 99 percent of websites are left unprotected, based on incorrect notion that active protection is the only protection:
As was the case with Trend Micro, active protection can actually fail to provide protection over passive protection. So the claim that “Hosting services and CMS do not actually protect individual websites.” isn’t true, as they do to varying levels.
Cloudbric seems to really believe the misleading information they are giving others as they are still running WordPress 4.2.2:
That version was superseded with the security update 4.2.3 back in July 2015. Normally that and the subsequent 4.2.x updates would have been applied automatically due to WordPress’ automatic background updates feature, so either Cloudbric disabled those or their server environment has an incompatibility with that (which they could help WordPress to resolve). After 4.2.3, they have missed the next 10 security updates: 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13.
You have to wonder if when Cloudbric says that “Most unprotected website operators feel that proper web protection is expensive or unnecessary.” that is based on their own feelings.
More Tolly Group Testing
One of the things we take a look at with companies providing security services that claim to provide protection is if they are providing real evidence to back up their claims (so far we haven’t seen one that provides that). With Cloudbric they claim their WAF provides “the most effective security”:
Penta Security’s web application firewall provides the most effective security. It was rated considerably higher than the widely known vendor Imperva’s technology. Cloudbric is known for higher performance and greater functionality than Incapsula. Sitelock and Sucuri are built on an open-source engine called Mod Security.
(They also claim to that SiteLock’s WAF is based on Mod Security, when in fact they actually reselling Incapsula’s service, so that make us suspicious as their claim about their service.)
That claim seems to rest on a report by the Tolly Group. If you follow our blog you might recall the test that they did for SiteLock, which would it would probably be accurate to describe as rigged, as SiteLock provided the samples that their product were supposed to be detecting in the test.
Looking in to the report for this company the same thing was true:
A collection of 1,000 attacks were used to test the effectiveness of each solution, in both default and maximum security settings. This was run multiple times to ensure accuracy. The attack set was a random subset of attacks collected by Penta from Exploit-DB, 1337 Inj3ct0r, SQL Injection Wiki, fuzzdb and other online security communities.
We appreciate you checking out our site to learn more about Cloudbric and your interest in advocating web security. Definitely, updating your CMS is one of the basics in securing your website and we’re glad you brought this up!
Cloudbric’s WAF sits in front of our web server, so fortunately, our website isn’t left vulnerable. However, many website owners (w/o security) do not update their WordPress for other reasons – plugins may no longer work as intended and website owners may rather not undergo an approval process by their developers to apply those updates. But, we value your feedback and agree with encouraging other website owners by adhering to the same web security best practices. You’ll see that with our website renewal we’ve updated our WP version.
With regards to the importance of active protection, we stand by our belief that websites are generally left vulnerable without deploying any WAF solution. Website owners choose to deploy active protection like WAFs because addressing all vulnerabilities in a website through meticulous secure coding and design is very difficult for most. Rapidly evolving unknown and modified threats, for example, cannot be anticipated and dealt with in real-time by even the most expert of developers. Hence, we believe it is a fair assumption that websites without active protection face significant vulnerability.
In the comparison with SiteLock, you’ve mentioned that Cloudbric had missed 101 samples. However, we’d like to clarify that this is due to the nature of the testing conducted. As written in the report, the 1000 samples within the attack set included a hundred valid HTTP requests, to test for how accurately a WAF distinguishes between legitimate and malicious traffic (ability to avoid false positives). This is largely why 101 samples passed through detection.
Our renewed website contains updated content, so we’re glad you pointed out that the reference to SiteLock’s use of ModSecurity is not up-to-date – it’s now been removed! Thank you for engaging with our content – we’re glad to see that there are others who care and are passionate about website security and website cleanup!
Your comments only reinforce the impression given that your company doesn’t really understand security issues surrounding websites, even with your own website.
Let’s take a look at a few of the issues:
Actually most most websites are keeping up to date with minor WordPress updates (which are the security updates) because they normally happen automatically. As what happen with Trend Micro not that long ago shows updating WordPress actually provides better protection than than using some security product over a website, as was mentioned in the post.
Issues with plugins would generally be caused major updates, while your website wasn’t be kept up to date even with minor updates. Also, again, the minor updates happen automatically normally, so a developer wouldn’t be involved with them or need approval.
Your website is currently running WordPress 4.7.2, while the latest version is 4.7.5. Version 4.7.3 and 4.7.5 are security updates. Not only have you not resolved whatever was causing you to miss minor updates, which normally would happen automatically, but even when you update you are lagging far behind, as version 4.7.3 was released in March.
This somehow supposed to be an argument in favor of WAFs, but what you mentioned seems to apply more to WAFs than securing code. From our experience the companies behind WAFs and other security products, are for example, are not monitoring for the exploitation of zero-day vulnerabilities in WordPress plugins and from what we have seen in testing WordPress security plugins against vulnerabilities, without knowledge of a vulnerability a security product is unlikely to be able to protect against it. So the idea that WAFs would provide better protection (or even any protection) against new threats doesn’t seem to match what is really going on.
At the same time using secure coding practices is not all that difficult, it more of an issue of getting people to use them. Selling security products that claim to provide protection they don’t isn’t going to help with a focus on making code more secure. For example if money spent on those services like our Plugin Vulnerabilities service instead, where we actual help to get vulnerabilities in WordPress plugins fixed, then everybody would be getting more secure code.