I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the web server and unknowingly gave the whole world access to change any and all content at will. What interested me the most was the fact that out of the hundreds of businesses affected not a single one had apparently bothered to test the security of the website.

I can hear it now – and I’ve heard it a thousand times before – from marketing managers to developers to network admins: We don’t need to test our marketing site…it’s just a marketing site. This dangerous mindset and scenario are present in a large number of businesses today. What people making such decisions don’t realize – as was experienced by the previously mentioned defacement victims – is that their business’ reputations are on the line. Everything from banks to system integrators to manufacturing companies that were/are impacted by such breaches now have to determine how they’re going to explain what happened.

Do the victims just say: “Well, management decided that it was just our marketing site that didn’t have anything the bad guys would want so we decided not to test it for security flaws…”?

Perhaps they could go on to say: “We understand that such a breach makes us look unprofessional and come across like we don’t take our IT or the reputation of our business very seriously. And we know a simple and relatively inexpensive web security scanner could’ve uncovered the flaw that led to this situation, but we just couldn’t make the business case for it…”?

Seriously, folks?

Shame on the marketers and hosting providers as well for not doing even the most rudimentary web application security testing. As I’ve written in the past, I don’t recommend relying on vulnerability scans alone, but they’re certainly a very good start!

Ignoring this glaringly obvious elephant in the room is just inexcusable. I know, that’s easy for me to say being on this side of the equation. But not being able to justify even a simple scan of your marketing site using free or inexpensive tools that anyone with any level of computer experience can run? I don’t get it.

If you’re reading this blog, this is probably a non-issue. Just make sure you’re scoping your ongoing assessments to look at your marketing site and any associated content management system at least once or twice a year. You may be surprised what turns up. Beyond that, we can all work together and encourage other business owners, friends and family members who aren’t IT savvy to test for the low-hanging fruiteven on their marketing sites. We’ll all benefit in the long term.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.