cia for wordpress developers
TRANSCRIPT
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
A C I A M I N D S E TP L A N N I N G Y O U R W O R D P R E S S S I T E ’ S S E C U R I T Y ( F O R D E V E L O P E R S )
David Brumbaugh - Web Engineer 10Up
A premiere web design & development consulting service provider, and a contributor to open platforms like WordPress.
7 0 % O F W O R D P R E S S S I T E S V U L N E R A B L E
O C T O B E R 2 0 1 3 , I N F O R M AT I O N W E E K :
That’s Over 100M Sites
These Vulnerabilities are Preventable
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C . I . A Confidentiality
Integrity
Availability
W O R D P R E S S C I A C O D I N G
• ENVIRONMENTAL FACTORS
• CODE FOR CONFIDENTIALITY
• CODE FOR INTEGRITY
• CODE FOR AVAILABILITY
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O N F I D E N T I A L I T Y
• Personal Information
• Names, Email Addresses
• Customer Information
• Order History
• Sensitive Information
• Payment Information, Passwords, Health Data
I F T H E H O S T I S C O M P R O M I S E D - Y O U R C O D I N G D O E S N ' T M AT T E R .
C O N F I D E N T I A L I T Y: H O S T I N G
C U LT I VAT E A G O O D R E L AT I O N S H I P W I T H T H E H O S T. AV O I D “ B L A M E G A M E ” .
W I T H A N E W ( O R L A R G E ) H O S T I U S U A L LY S TA R T T H E S U P P O R T T I C K E T W I T H : “ I A M A D E V E L O P E R ”
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O N F I D E N T I A L I T Y - W O R D P R E S S
Front End vs. Back End
Roles and Capabilities
Built In and Custom
Business Decisions - Purpose of Code
Should Match Responsibilities
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
S TA N D A R D R O L E S
• Super Admin • Administrator • Editor • Author • Contributor • Subscriber
S A M P L E C A PA B L I T I E S
• edit_users • activate_plugins • delete_others_pages • upload_files • edit_posts • read
U S I N G C A PA B I L I T I E S I N C O D E
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C U S T O M R O L E S A N D C A PA B I L I T I E S
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O D E E X A M P L E S F R O M R E P O S I T O R YC O N F I D E N T I A L I T Y - W O R D P R E S S
Members (Justin Tadlock)
Eyes Only (Kevin Behrens & Thom Stark)
Restricted Site Access (10Up)
Editorial Access Manager (10Up)
P R O T E C T I O N A G A I N S T: U N A U T H O R I Z E DO R U N I N T E N D E D M O D I F I C AT I O N ,D E L E T I O N ,O R A D D I T I O N O F D ATA A N D / O R P R O G R A M S .
I N T E G R I T Y
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
W P I N T E G R I T Y T H R E AT S
• Brute Force Attacks • Another computer “guesses” username/password • Username or password is intercepted (email)
• Injection Attacks • Another computer exploits failure to comply with
best practices by injecting malicious code.
I N T E G R I T Y - W O R D P R E S S C O R E A D VA N TA G E S
• Open Source • Thousands of Eyes • Can Audit / Inspect
• YOU Should Inspect It • https://make.wordpress.org/core/reports/
• Solid Organization Committed to Security • Built In Security Functions (Only work if used) • Version Updates - Automatic for Security Related,
Can (usually should) be automated • You Should Push Security Updates ASAP
I N Y O U R T H E M E S A N D P L U G I N S
• Update Procedures (i.e. WordPress.org Repository)
• Best Practices:
• Input Validation and Sanitization
• Validate and Escape Output
• Beware Feature Bloat
I N T E G R I T Y
B R U T E F O R C E D E F E N S E
• Check for Bad Usernames (admin, administrator etc.)
• Captcha - Advantages and disadvantages
• Enforce Strong Passwords
• Secure Password Delivery
• Don’t Email Passwords
• Use One Time Secret
I N T E G R I T Y
I N J E C T I O N D E F E N S E SU S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Input Validation
I N J E C T I O N D E F E N S E SU S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Sanitizing: Cleaning User Input
I N J E C T I O N D E F E N S E SU S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Escaping: Securing Output
Why???
I N J E C T I O N D E F E N S E SU S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Escaping: Securing Output
How???
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
• A L L P L U G I N S / T H E M E S R U N AT T H E S A M E P E R M I S S I O N L E V E L • S O M E O T H E R P L U G I N C A N M A K E Y O U R S V U L N E R A B L E
• G I T A U T O M AT I C A L LY I N C L U D E S I N T E G R I T Y C H E C K I N G • C O N S I D E R A “ C A N O N I C A L ” F I L E I N T E G R I T Y S O U R C E : http://www.sitepoint.com/monitoring-file-integrity/
• S E A R C H P L U G I N R E P O S I T O R Y F O R : “ S E C U R I T Y M O N I T O R I N G ”
A N D / O R “ F I L E I N T E G R I T Y M O N I T O R I N G ”
F I L E & D ATA I N T E G R I T Y
Y O U R W O R D P R E S S S I T E S H O U L D B E AVA I L A B L E T O Y O U R C U S T O M E R S , U S E R S , A D M I N I S T R AT O R S A N D C O N T E N T C R E AT O R S W H E N T H E Y N E E D I T.
AVA I L A B I L I T Y
• O F T E N A F U N C T I O N O F I N T E G R I T Y• AT TA C K E R L O C K S U S E R S O U T• D D O S L A U N C H E D F R O M
C O M P R O M I S E D W P S I T E S I N 2 0 1 3
• W O R K W I T H T H E H O S T• P E R F O R M A N C E
• O P T I M I Z AT I O N ( P R O F I L E )• C A C H E I N G• A S S E T M A N A G E M E N T ( C D N )
AVA I L A B I L I T Y
David Brumbaugh• @DavidEBrumbaugh • #Team10Up• www.10iup.com/cia-biz
C . I . A . R E S O U R C E S• developer.wordpress.org • codex.wordpress.org
• Sanitizing Input • Escaping Output
• Open Web Application Security Project • owasp.org
• CERT - Computer Emergency Readiness Team • http://www.us-cert.gov
• Subscribe to Email Alerts • Filter your inbox by sender, WordPress
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
• P R E V I O U S LY M E N T I O N E D P L U G I N S ( W O R D P R E S S . O R G )
• B E S T P R A C T I C E S • h t t p s : / / 1 0 u p . g i t h u b . i o / E n g i n e e r i n g - B e s t - P r a c t i c e s /
• O N E T I M E S E C R E T: h t t p s : / / s e c r e t . 1 0 u p . c o m /
M O R E C . I . A . R E S O U R C E S - F R O M 1 0 U P
David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
Q U E S T I O N S ?