How Sitefinity CMS Effectively Fights Critical Security Vulnerabilities
How Sitefinity CMS Effectively Fights Critical Security Vulnerabilities

In recent times, millions of websites using open-source web content management systems have been threatened by captious security flaws that can take down websites and shake the core out of an organization’s principles and business dealings. To put it in perspective, a highly critical flaw that measured a 24/25 on the severity scale, posed a major threat over a million websites using open-source CMS. The flaw would allow the hackers to penetrate the site through URL, without any need for login or authentication details. Such flaws leading to cyber breaches have increased multifold in recent years and are becoming the biggest challenge for the IT teams of the organizations.
A surge in the breaches has also led the companies to incur greater costs due to site downtime and other associated aspects, making their budgets go completely haywire while severely impacting customer relationships. According to a recent study conducted by Information Technology Intelligence Consulting, the estimated average cost of downtime for most large enterprises is $300,000 per hour. This cost can reach over $5 million/hour for industries like government, real estate, finance, transportation, and many other sectors.
The data breach can severely impair the customer relationships and it can be established by various studies. As per the reports by Gemalto, 70% of consumers gave an affirmative answer when questioned whether they would discontinue business with an organization that has experienced any form of a data breach.
Therefore, CMS proves to be the founding brick of all businesses and secured content management like the one Sitefinity CMS offers, the most crucial aspect of this digital foundation. To ensure better security and data protection, the fundamental need is to understand the risks and the nature of the threats and understand how Progress Sitefinity protects your business from them.
A dedicated community in the industry, The Open Web Application Security Project (OWASP), listed down the top security risks for websites assessing the risks on four important criteria, namely, exploitability, prevalence, ease of detection, and technical impact, marked on a scale of 1 to 3 with 3 indicating highest risk impact.

Here’s a list of top 5 security risks that pose threats to the business websites.

Source: OWASP Top 10 – 2017

Let’s discuss each vulnerability in detail and understand how Sitefinity CMS is doctoring them to provide your business with a safe and secure web environment to operate in:

Risk Exploitability Prevalence Ease of Detection Technical Impact
Injection Flaws 3 2 3 3
Broken Authentication 3 2 2 3
Sensitive Data Exposure 2 3 2 3
XML External Entities 2 2 3 3
Broken Access Control 2 2 2 3

Risk 1: Injection Flaws

A common but a potent threat, injection flaw allows the hijackers to transmit malicious code to another system using an application. This malignant code leads to the execution of unintended commands and data access without authorization. Flaws like SQL injection can lead to usage of external programs, calls to operating system and backend databases.
How Sitefinity CMS handles injection flaws:
Applications providing an interface that either eliminates the use of any interpreter or disclosing a properly structured parametrized interface, are two robust ways to protect injection flaws like SQL injection.
Sitefinity CMS boasts of combining the strength of both of these to ensure that the attackers cannot go through your applications. Not carrying out a single SQL statement, it, in fact, signals the underlying provider managing data access through Data Access ORM, a powerful object-relational mapping tool. Internally, Data Access also provides parametrized interface keeping parameters separate from the command itself, effectively avoiding the injection attacks.

Risk 2: Broken Authentication

Identity authentication and session management are routine functions widely used by the admins, and the customers to handle their data on your website. Protection of identities and authentication steps ensures them that their data is secure on your site. However, weak or broken authentication protocols can give the attackers temporary or permanent access to the users’ or admins’ identities allowing them to commit all kinds of deceitful activities.

How Sitefinity CMSensures highly-secure authentication model:

Setting up a multi-factor authentication model is an effective way to protect the sites against such authentication attacks.Sitefinity CMS application accommodates three authentication models that are in compliance with international security standards.
Based on OAuth 2.0 and OpenID Connect protocols, the default authentication mode makes use of the IdentityServer3- a secured framework and a hostable component, allowing the users to carry out single sign-on and access control for web applications and APIs. Sitefinity CMS ensures strong encryption for the stored passwords and its default settings demand a minimum of 7 characters for a password. The session and timeout settings are also eminently secured.

Risk 3: Sensitive Data Exposure

In recent years, exposure to sensitive data has become one of the most prevalent forms of cyber-attacks and the biggest reason is the poor coding system and weak APIs protecting the sensitive data stored on the sites. It gives attackers an opportunity to remove, modify, or steal the highly confidential information of its users and the site.

Actions are taken by Sitefinity CMS to protect the sensitive data:

Sitefinity CMS only stores the essential set of sensitive data mandatory for the smooth functioning of the product. For the data at rest, it uses a cryptographic API, enabling the developers to build and transfer data in a secure environment, especially over nonsecure media like the internet. The cryptographic API uses robust algorithms like storing password hashes, secret key encryption, and many others. The data in transit also needs secure API-driven encryption. We staunchly suggest using TLS protocols with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and security parameters. The developers can enforce TLS encryption by configuring it using HTTP Strict Transport Security (HSTS) directives and public key pins header (PKP) in the web security module of Sitefinity CMS.

Risk 4: XML External Entities

Evaluating or processing the external references inside XML documents is the key task of XML processors. However, poorly configured or dated XML processors can come under attackers’ eyes and can be exploited in all sorts of fraudulent ways.

How Sitefinity CMS protects XML processing:

For all XML processing, Sitefinity relies on Microsoft .NET Framework parsers and the libraries and frameworks are frequently updated to the latest versions, which are deemed highly secure by the OWASP Top 10 – 2017. It ensures all XML files that the system is processing comes from trusted sources, with the exception of user-uploaded SVG images. Additionally, the XXEs can be prevented by removing the XmlResolver and disabling the disallow-doctype-decl processing.

Risk 5: Broken Access Control

An unstructured or indigently enforced framework restricting the allowed actions of the authenticated users can come under the attackers’ radar leading them to misuse information, or carry out cyber theft.

How Sitefinity CMS manages better access control:

Sitefinity CMS always checks and reviews the authentication permissions for every undertaken operation and command, thereby making it essentially impossible to externally surpass security gateways through malignant URL, service calls, or APIs.
Hence, Sitefinity CMS is fully-equipped to efficaciously manage the challenges of the modern-day cyber threats while innovating web management solutions. Recognized as a leader in web content management, Sitefinity understands the importance of data protection and security to maintain and grow a healthy business with the customers.