With the most recent news about Sony’s hacking (just the latest in what seems like weekly headlines of hacking), I wonder how do other companies address security? I know that Utility companies and government agencies are required by regulations to be more stringent about security, but what about other organizations?
My experience has been that the focus is primarily on new features and getting those new features into production as quickly as possible. If security wasn’t in the original requirements or specifications, chances are that it was not addressed or possibly not even thought about. This could open your website or WCMS up for attacks.
For those companies that do take steps to try to keep their website secure, they typically run some canned security scan which checks for cross-site scripting (XSS) and SQL injection. That’s definitely a good place to start. What about application servers like CQ5? The standard SQL injection tests aren’t likely to occur, but that doesn’t mean that your CRX repository is safe from being queried. Why? Because CQ5 comes with an out of the box query selector which allows queries to be sent via HTTP requests. If this query isn’t properly blocked, any data in your CRX repository could be exposed. This includes user names, encrypted passwords, and custom source code.
We, at Zap Technology Solutions, have created a security scanner which is specifically geared toward scanning CQ5/AEM-driven websites. It’s not a replacement for the scans that check for XSS or SQL injection, it’s a supplemental scan to specifically look for security issues that could be present on CQ5/AEM-based sites.
If you’re curious about your organization’s CQ5-based website’s security, scan it for FREE at http://scan.zapts.com. You may be surprised at the results.
After scanning your site, we’re happy to assist with analyzing the scan’s results and talk about ways to close the security holes that are found.