cia for wordpress developers

David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com

http://www.10up.com


A C I A M I N D S E TP L A N N I N G Y O U R W O R D P R E S S S I T E ’ S S E C U R I T Y ( F O R D E V E L O P E R S )

David Brumbaugh - Web Engineer 10Up

A premiere web design & development consulting service provider, and a contributor to open platforms like WordPress.

http://www.url.com/slides

7 0 % O F W O R D P R E S S S I T E S V U L N E R A B L E

O C T O B E R 2 0 1 3 , I N F O R M AT I O N W E E K :

That’s Over 100M Sites

These Vulnerabilities are Preventable

I T S H O U L D P E R M E AT E H O W W E C O D E

Security is a Mindset


C . I . A Confidentiality

Integrity

Availability


W O R D P R E S S C I A C O D I N G

• ENVIRONMENTAL FACTORS

• CODE FOR CONFIDENTIALITY

• CODE FOR INTEGRITY

• CODE FOR AVAILABILITY


C O N F I D E N T I A L I T Y

• Personal Information

• Names, Email Addresses

• Customer Information

• Order History

• Sensitive Information

• Payment Information, Passwords, Health Data


I F T H E H O S T I S C O M P R O M I S E D - Y O U R C O D I N G D O E S N ' T M AT T E R .

C O N F I D E N T I A L I T Y: H O S T I N G

C U LT I VAT E A G O O D R E L AT I O N S H I P W I T H T H E H O S T. AV O I D “ B L A M E G A M E ” .

W I T H A N E W ( O R L A R G E ) H O S T I U S U A L LY S TA R T T H E S U P P O R T T I C K E T W I T H : “ I A M A D E V E L O P E R ”


C O N F I D E N T I A L I T Y - W O R D P R E S S

Front End vs. Back End

Roles and Capabilities

Built In and Custom

Business Decisions - Purpose of Code

Should Match Responsibilities



S TA N D A R D R O L E S

• Super Admin • Administrator • Editor • Author • Contributor • Subscriber

S A M P L E C A PA B L I T I E S

• edit_users • activate_plugins • delete_others_pages • upload_files • edit_posts • read

U S I N G C A PA B I L I T I E S I N C O D E



C U S T O M R O L E S A N D C A PA B I L I T I E S



C O D E E X A M P L E S F R O M R E P O S I T O R YC O N F I D E N T I A L I T Y - W O R D P R E S S

Members (Justin Tadlock)

Eyes Only (Kevin Behrens & Thom Stark)

Restricted Site Access (10Up)

Editorial Access Manager (10Up)


P R O T E C T I O N A G A I N S T: U N A U T H O R I Z E DO R U N I N T E N D E D M O D I F I C AT I O N ,D E L E T I O N ,O R A D D I T I O N O F D ATA A N D / O R P R O G R A M S .

I N T E G R I T Y


W P I N T E G R I T Y T H R E AT S

• Brute Force Attacks • Another computer “guesses” username/password • Username or password is intercepted (email)

• Injection Attacks • Another computer exploits failure to comply with

best practices by injecting malicious code.


I N T E G R I T Y - W O R D P R E S S C O R E A D VA N TA G E S

• Open Source • Thousands of Eyes • Can Audit / Inspect

• YOU Should Inspect It • https://make.wordpress.org/core/reports/

• Solid Organization Committed to Security • Built In Security Functions (Only work if used) • Version Updates - Automatic for Security Related,

Can (usually should) be automated • You Should Push Security Updates ASAP

I N Y O U R T H E M E S A N D P L U G I N S

• Update Procedures (i.e. WordPress.org Repository)

• Best Practices:

• Input Validation and Sanitization

• Validate and Escape Output

• Beware Feature Bloat

I N T E G R I T Y

http://wordpress.org

B R U T E F O R C E D E F E N S E

• Check for Bad Usernames (admin, administrator etc.)

• Captcha - Advantages and disadvantages

• Enforce Strong Passwords

• Secure Password Delivery

• Don’t Email Passwords

• Use One Time Secret

I N T E G R I T Y

I N J E C T I O N D E F E N S E SU S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S

I N T E G R I T Y

Input Validation


I N T E G R I T Y

Sanitizing: Cleaning User Input


I N T E G R I T Y

Escaping: Securing Output

Why???


I N T E G R I T Y

Escaping: Securing Output

How???


• A L L P L U G I N S / T H E M E S R U N AT T H E S A M E P E R M I S S I O N L E V E L • S O M E O T H E R P L U G I N C A N M A K E Y O U R S V U L N E R A B L E

• G I T A U T O M AT I C A L LY I N C L U D E S I N T E G R I T Y C H E C K I N G • C O N S I D E R A “ C A N O N I C A L ” F I L E I N T E G R I T Y S O U R C E : http://www.sitepoint.com/monitoring-file-integrity/

• S E A R C H P L U G I N R E P O S I T O R Y F O R : “ S E C U R I T Y M O N I T O R I N G ”

A N D / O R “ F I L E I N T E G R I T Y M O N I T O R I N G ”

F I L E & D ATA I N T E G R I T Y

http://www.10up.com/cia-biz

http://www.sitepoint.com/monitoring-file-integrity/

Y O U R W O R D P R E S S S I T E S H O U L D B E AVA I L A B L E T O Y O U R C U S T O M E R S , U S E R S , A D M I N I S T R AT O R S A N D C O N T E N T C R E AT O R S W H E N T H E Y N E E D I T.

AVA I L A B I L I T Y

• O F T E N A F U N C T I O N O F I N T E G R I T Y• AT TA C K E R L O C K S U S E R S O U T• D D O S L A U N C H E D F R O M

C O M P R O M I S E D W P S I T E S I N 2 0 1 3

• W O R K W I T H T H E H O S T• P E R F O R M A N C E

• O P T I M I Z AT I O N ( P R O F I L E )• C A C H E I N G• A S S E T M A N A G E M E N T ( C D N )

AVA I L A B I L I T Y

David Brumbaugh• @DavidEBrumbaugh • #Team10Up• www.10iup.com/cia-biz

C . I . A . R E S O U R C E S• developer.wordpress.org • codex.wordpress.org

• Sanitizing Input • Escaping Output

• Open Web Application Security Project • owasp.org

• CERT - Computer Emergency Readiness Team • http://www.us-cert.gov

• Subscribe to Email Alerts • Filter your inbox by sender, WordPress

http://www.10up.com/cia-biz

http://developer.wordpress.org

http://codex.wordpress.org

http://owasp.org

http://www.us-cert.gov


• P R E V I O U S LY M E N T I O N E D P L U G I N S ( W O R D P R E S S . O R G )

• B E S T P R A C T I C E S • h t t p s : / / 1 0 u p . g i t h u b . i o / E n g i n e e r i n g - B e s t - P r a c t i c e s /

• O N E T I M E S E C R E T: h t t p s : / / s e c r e t . 1 0 u p . c o m /

M O R E C . I . A . R E S O U R C E S - F R O M 1 0 U P



Q U E S T I O N S ?

http://www.10up.com

cia for wordpress developers

Internet