typo3 & security @ drupal meetup
TRANSCRIPT
inspiring people to
share.
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Agenda
✓ About TYPO3
✓ What does Security mean?
✓ Knowing the enemy
✓ Pitfalls
✓ Best practices
✓ TYPO3 Security Team
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
TYPO3 family
✓ CMS born at 1998 by Kaspar Skårhøj
✓ Flow 1.0.0 2009
✓ Neos 1.0.0 2013
TYPO3 Usergroup Austria (TUGA)
✓ www.tuga.at
✓ 1x/month Linz <> Vienna
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Georg Ringer
✓ TYPO3 developer user since 2005
(first extension still in production!)
✓ TYPO3 CMS core developer
✓ Member of the TYPO3 Security Team
✓ working at Cyberhouse Gmbh (Linz, Vienna)
✓ proudest father since 14 months
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
What does Security mean?
✓ Absence of potential damage
✓ Protecting information
✓ Unauthorized access
✓ Unauthorized modification
✓ Loss
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
CIA Triad
What does security mean?
Integrity
InformationConfidentiality Availability
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Characteristics of security
✓ There is no absolute security
✓ An environment is only as secure as it’s weakest point
✓ Security is an investment
✓ The efforts for security must be proportianal to the potential damage
✓ A system can be called secure, if the effort of compromising it are way
higher than the possible gains.
What does security mean?
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Security is relative
✓ Security depends on your needs/kind of information
✓ Security depends on a certain point in time
✓ Security needs to be constantly adapted and improved
What does security mean?
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Security is a process,
not a product
(Bruce Schneier)
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Knowing the enemy
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Different motivations
✓ Money
✓ Influence
✓ Fame
✓ Fun
Knowing the enemy
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Different proceedings
✓ Automated attacks
✓ Targeted attacks
Knowing the enemy
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Security problems
✓ XSS
✓ CSRF
✓ SQLi
✓ Header injection
✓ Code injection
✓ Insecure unserialize
✓ ...
Knowing the enemy
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Best practice
✓ Every request is an attack as long as the opposite is proven
✓ User input is untrustable
✓ User input needs to be validated and encoded and escaped right before
the output
✓ Encoding and escaping depends on the context
✓ Seperation of concerns
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
What is user input
✓ $_REQUEST ($_GET, $_POST; $_COOKIE)
✓ $_FILES
✓ $_SERVER
✓ Filenames
✓ External services
✓ Editors are users!
Best practice
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Seperation of concerns
✓ Security issues are bugs
✓ Clean code leads to less bugs
✓ Test driven development
✓ Leave security to security code
Best practice
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
TYPO3 Security Team
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
TYPO3 Security Team
✓ Responsible disclosure policy
✓ One communication channel ([email protected] with OTRS)
✓ TYPO3 Core
✓ Handling security issues
✓ Pre-Announcements for critical issues only
✓ TYPO3 Extensions
✓ Handling security issues
✓ Communication
✓ Talks
✓ Awareness of security
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Report by
Mail to
reporterCheck if valid
Contact
author
No responseResponse
with patch
Check patch
Indivudual
Sec. Bulletin
Bulletin!
Collective
Sec. Bulletin
Author
uploads
extension
We upload
extension
Publish
bulletin on
typo3.org
Set old
version as
insecure
Send mails /
Get a
coffee/break!
TYPO3 Security Team
Processing a report of an extension
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Report by
mailCheck if valid
Fix with the
Core Team
Bulletin!
Publish
bulletin on
typo3.org
Send mails /
Get a
coffee/break!
TYPO3 Security Team
Mail to
reporter
Processing a report of the TYPO3 core
Release new
version
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Questions? Thanks!
Drupal-Austria & WordPress Vienna MeetupTYPO3
Inspiring people to share
Thanks to
✓ Helmut Hummel as the slides are based on his various presentations.
✓ Cyberhouse GmbH www.cyberhouse.at
✓ the awesome TYPO3 community
inspiring people to
share.