As the spectacle that is the 2016 U.S. presidential primary season continues to unfold, candidates from all sides of the political spectrum are united in their widespread use of their own Websites to educate voters. Although all the candidates have Websites, not all are equal from a security perspective.
So who among the remaining crop of candidates has the most secure site?
Alex Heid, chief research officer at SecurityScorecard, has an answer. According to Heid's research, Republican front runner Donald Trump's Website ranks tops in terms of security while Democratic front runner Hillary Clinton's leaves much to be desired. Heid's analysis looked at the Trump, Cruz, Clinton, Sanders and Kasich campaign Websites.
SecurityScorecard develops and sells a service that can rate the security of an organization, as measured by a number of external facing attributes. In February, the company launched a new capability that enables visibility in the security of third-party suppliers. The risk for many organizations isn't always in their own infrastructure, but rather in the shared components that are pulled in from third-party suppliers.
Heid emphasized that the SecurityScorecard analysis of the presidential candidates' Websites did not involve any invasive penetration testing but, rather, is based on passive analysis.
"With the political Websites, we're able to get information just by looking at the IP addresses and by viewing the source code of the given Website," Heid told eWEEK.
Many modern Web browsers still enable any user to simply click "view source" to see the source code for a given site. By looking at that code, it's possible to determine what content management system (CMS) and what plug-ins are in use.
"We're simply analyzing what is beaconing out—what anyone that knows where to look can find out about a Website," Heid said.
Heid's analysis showed some interesting commonality across the presidential candidate Websites. Sites that belong to the Trump, Cruz and Sanders campaigns all use distributed denial-of-service (DDoS) and Web application firewall (WAF) protection from security vendor CloudFlare. The Kasich (johnkasich.com) and Clinton Websites both are hosted on Amazon Web Services, and neither had DDoS/WAF protection service in place.
The Trump Website uses a content management system, which the SecurityScoreCard analysis showed was properly configured, without an exposed administration panel. Trump also uses PayPayl's BrainTree payment processing system as well the Republican party's VictoryParty.com payment processor.
"I don't want to say there were no misconfigurations on donaldjtrump.com; it's just that everything seems to be good to go from the outside," Heid said.
In recent weeks, hactivist group Anonymous has publicly declared war on the Trump campaign, though, to date, the war hasn't brought down the Trump Website. Heid noted that there have been DDoS attacks against the Trump Hotels Website, but the main Trump campaign Website has yet to experience any measurable downtime. Heid credits Trump's use of CloudFlare for the Website's ability to withstand potential attacks from Anonymous.
"If you went to the donaldjtrump.com site over the last week or so, as Anonymous kicked off its attacks, there was some lag time, but the site has remained up," Heid said.