it's a jungle out there: the security state of cms platforms
TRANSCRIPT
![Page 1: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/1.jpg)
SESSION ID
Its a Jungle Out There The Security State of CMS Platforms
STU-W03A
Maty Siman Founder amp CTO CISSP
Checkmarx
checkmarx
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 2: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/2.jpg)
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 3: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/3.jpg)
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 4: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/4.jpg)
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 5: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/5.jpg)
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 6: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/6.jpg)
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 7: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/7.jpg)
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 8: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/8.jpg)
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 9: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/9.jpg)
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 10: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/10.jpg)
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 11: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/11.jpg)
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 12: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/12.jpg)
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 13: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/13.jpg)
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 14: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/14.jpg)
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 15: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/15.jpg)
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 16: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/16.jpg)
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 17: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/17.jpg)
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
![Page 18: It's a Jungle Out There: The Security State of CMS Platforms](https://reader031.vdocuments.net/reader031/viewer/2022030323/589ee7731a28abd04d8b7b32/html5/thumbnails/18.jpg)
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-