Creating a DIY Theme Security Audit

Photo by Walling on Unsplash

This article will, first of all, teach on how to come up with a security mindset. It will go further to explain the risks associated with website themes and a list of do it yourself to be able to carry out a theme security audit.

The aim of all these is to guarantee the security of your themes before passing them down to customers.

Due to the COVID 19 pandemic, most companies and businesses have digitalized most of their activities. We could use a recent example of a hack on the Divi WordPress theme due to an underdeveloped theme. It allows access for Hackers to take over the whole site.

How to build Security Mindset.

There are some guidelines you need to follow to be able to carry out effective security measures for your themes. It reduces vulnerability for users. These guidelines are:

  • Ensure your theme is updated:

Every day there is a new technology being developed out there, this means new means to hack themes. You need to make sure your theme is up to date. Manage your code often to reduce security threats and increase your user’s confidence.

  • Verify Data Inputs:

Always check any data inputs from users to your theme database. Ensure your filter and verify it to reduce any security threats.

  • Make use of trusted APIs:

It is advisable to only use APIs that you can trust for a balanced transaction. It reduces the security risk.

Biggest security risks to website themes.

Over the past few years, we have witnessed an increase in the vulnerability of themes. This does not end there as more websites are still prone to attacks. These are CMS-wise hacking statistics to back this up;

  • Statistics of WordPress Hacking:

The CVE provides details that XSS is the topmost threat in Word Press with 38.1%, next is code execution with 15.3%. The third threat is gain info with 12.7%.

  • Magento Hacking Statistics:

In order of details of Magento from CVE, we have XSS leading with 53.1%, code execution with 12.5% then Gain information also with12.5%.

  • OpenCart Hacking Statistics:

Remote Code execution is the largest threat for this with 45.5%. Then we have directory traversal and SQL injection with 20% each.

  • Prestashop Hacking Stats:

For Prestashop, Cross-Site does most of the attacks with 40.1%.

  • Joomla Hacking statistics:

XSS is the regular threat in Joomla.

You can find a list of risks in APIs and websites on the Open Web Application Security Project (OWASP). Some of them are;

  • Vulnerable backend access control
  • Weak backend access controls
  • Data leaks and exposure
  • Using components with known vulnerabilities
  • Security misconfiguration
  • Broken authentication and authorization
  • Insufficient logging and monitoring
  • Unsecure deserialization
  • Cross-site scripting (XSS)

A theme developer should take note of these risks, mostly the ones from unsecured codes.

 A Comprehensive Do-it-yourself list to create a theme security audit.

These dangerous risks that have been listed above bring the need for a security audit that requires a lot of processes. This list will help you through it;

  1. Carry out a data validation and sanitization test.

Data validation is the process of verifying data against a form of pattern while sanitization is for proper clean up of valid data before use. This is for external data like the user’s input and calls to web services through API.

This test will make sure that data is properly verified and filtered to prevent common security risks in your theme. There are some tools that you can use to carry out the data validation and sanitization test like DbFit, QuerySurge, ICEDQ, and so on

  1. Going through Data escaping output.

You should note that your data escaping has to be done properly. It is very important especially when you are outputting data.  This helps to secure your data from XSS attacks. It also ensures that SQL queries go through SQL escaping to avoid SQL injection attacks.

  1. Study and scan your ‘container’.

This is for those making use of container technology for development environments. You should scan frequently to avoid risks in the development processes. Study the images and check for vulnerabilities during your SDLC, it will show any security risk in your container.

The development team can create third-party software integrations so that software doesn’t affect the container.

  1. Do a Static Application Security Testing (SAST).

Performing a SAST will help to test and verify your code from within. It will detect security issues on time in your software development cycle. Finding out about security threats on time would help to save money and rearrange the code quickly. It is also known as white-box testing.

  1. Make use of a Software Composition Analysis (SCA) tool.

There is a probability that the code that is gotten from an outside organization to put in your development environment is not sanitized. You can make use of the OWASP dependency check to scan for risks and vulnerabilities in the code.

  1. Carry out Dynamic Application Security Testing (DAST).

This test( also known as black-box testing) helps to ascertain the ability of your theme application, containers, and clusters to resist hacking procedures that are employed to find vulnerabilities in your site. You can also make use of a DAST tool to crosscheck your theme application.

You can do a DAST when your theme application is on. In this case, the scanner tries to hack the application just like an attacker.

  1. Interactive Application Security Testing (IAST).

This is a mixture of both SAST and DAST. This makes it easier to cover a wider range of codes, find more accurate results and scan more risks. IAST does what SAST and DAST are unable to reach out to like hidden files and inputs e.t.c. the scanners can go through your application in any mode.