Improving Website Security with Static Page Generators

Oct 18, 2019 - AlasConnect

A faceless intruded on the other side of fogged glass

According to the Web of Profit Project, presented at the RSA Conference 2018, global cyber crime generates over one and a half trilliion dollars ($1,500,000,000,000) annually. Individual cyber criminals profit significantly, with top earners making salaries as high as two million dollars ($2,000,000) a year (more than many CEO’s at top companites). Data has become the commodity of choice in this global criminal enterprise.

In a world with such economic incentives for bad behavior, reputable business owners are at a disadvantage. While you are working to grow your business, delight your customers and advertise your brand, you will also have to fight to keep your digital assets (website, social media accounts, intellectual property, reputation) secure.

Your Image, Reputation and Brand

You can’t get your good name back, once it is lost, it is gone forever.

As the old saying goes, your reputation is hard won and easily tarnished. Moreover, in an increasingly connected world, your online reputation, as portrayed through your digitial marketing efforts, is all the more important for helping your customers find you. Many years ago a website was a “nice to have” for larger professional businesses, but now they are table stakes for simply being in business.

Unfortunately, low cost website generators and commonly used content management systems also known as CMS (such as WordPress and Joomla) are suceptible to a wide range of vulnerabilities and compromises. In order to remain secure, a heavy maintenance load is placed on business owners to keep their website, and all of the various platform plugins they use, up to date.

Historically a “hacker” might have targeted a website, attempting to deface it for personal reasons such as ego or reputation. However, modern cyber criminals may target and compromise websites (often in subtle and hard to detect ways) for more nefarious purposes such as:

  • Malware propagation - using your website and hosting platform to target and deliver malware
  • Crypto currency mining - using a compromised web host to generate crypto currency, or worse still using a website to compromise website visitors’ devices for the same
  • Advertising fraud - circulating malware to generate false “clicks” and generate ad revenue
  • Hosting Phishing content - using your website’s good reputation to host a page used in the perpetration of a phishing scam

How sites become compromised

Many modern websites are still relatively static in nature. For instance, your business website may have JavaScript based animations or other visible components, but the underlying content and code is largely static data (e.g. biographical data about your company, information about your services.) Unfortunately, many modern CMS platforms still dynamically generate web pages at load time. This dynamic method introduces significant attack surface which may result in the compromise of your website. Moreover, it hurts page load times, worsens user experience and also hurts your search rankings.

  • Insecure/Unpatched Hosting - PHP and ASP.NET, being very common platforms for dynamic website hosting, often have security vulnerabilities and require frequent patching. Unfortunately, the process of patching can break functionality of higher-level software (such your CMS plugins) that are critical for the display of website content. This situation often leads to a condition we sometimes call “version dependancy hell” or more simply “using CMS plugins”.
  • Insecure/Unpatched CMS - Many CMS deployments are not well secured. While you would not leave your business unlocked at night with no one there, many business owners do just that with their website by failing to use proper password management methods or two-factor authentication to secure the administrtive controls of their website. Further, just like your hosting platform, your CMS and its plugins require constant care and feeding to remain secure.
  • Cross Site Scripting Vulnerabilities - Many web developers use third party scripts to support page animations. While this practice allows them to quickly deliver a top-quality visual layout, it can introduce hidden vulnerabilities which may allow your website or your visitors to be compromised. As an example, if you are using a plugin to generate or arrange your website content that is not thoroughly vetted and audited, it could have hidden and malicious functionality embeeded in it designed to deliver a malicious payload. Cyber criminals have an inherent economic incentive to deliver extremely useful plugins with wide legitimate appeal for free. Further, security measures such as TLS cipher tuning, redirecting to HTTPS and security header implementation are often not considered at all in the rush to deliver a newly branded website launch.

Advantages of Static Page Generators

A new class of technologies for website creation, generally called static page generators, provide a significantly smaller attack surface, incredible flexibility and excellent page load time. While typically these tools are more “codey” requiring some familiarity with HTML, CSS and JavaScript to generate a page, many hosting vendors are also developing “What You See is What You Get” editing platforms leveraging these same underlying static page generators as well.

Some of the advantages of a static page generator include:

  • No Database, Scalable Performance - A statically generated website, unlike many CMS platforms, does not require the implementation or upkeep of a relational database. Moreover, page performance is scalable under load, without being bottle necked by poor SQL query performance or undersized database hosting capacity.
  • Static Pages, Pre-Rendered - Using various compression methods, statically generated pages and associated front end code can be efficiently packaged and compressed for optimal page load times. While it may seem trivial to improve from a 1 second to a fraction of that for a website to load, many search engines penalize your website in terms of ranking due to poor performance. When AlasConnect moved its website to statically generated pages with significantly better load times, we say a three-fold (3x) increase in organic search results on Google.
  • No CMS Exposure - Without a CMS to be compromised, you don’t have to worry about securinig it. Moreover, many static page generators do not require extensive third-party plugins.

At AlasConnect, we leverage Jekyll to deliver content on our website. It provides extremely fast, Content Distribution Network (CDN) friendly and easily secured web pages, while also allowing us to easily control and automate the deployment of our website using modern tooling.

*AlasConnect is a technology support and consulting company focusing on the needs of our business customers. If you are concerned about the performance or security of your website, please contact us so we can start a discussion about modernizing and securing your website or web platform application. We can be your ally in the fight against cyber crime.