Plone a success in security - Results from BSI CMS Security Study
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 39 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/47832 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
Plone Conference 201338 / 39
1
9
10
12
16
17
23
25
29
31
32
37
00:00
Raw image formatObservational studyOffice suiteInformation securityMoment (mathematics)Presentation of a groupPhysical systemInternetworkingWebsiteData miningState of matterLevel (video gaming)Function (mathematics)Disk read-and-write headContent management systemInformationOpen sourceAuthorizationUniverse (mathematics)WordPoint (geometry)Type theoryPlanningInformation technology consultingGroup actionCanadian Mathematical SocietyComputer virusXMLLecture/Conference
04:40
Point (geometry)MereologyComputer architectureCombinational logicOpen sourcePhysical systemVulnerability (computing)System administratorInformation securityConnectivity (graph theory)Ocean currentWeb 2.0Observational studyLevel (video gaming)Atomic numberData conversionView (database)StatisticsInformation technology consultingBitPresentation of a groupQuantumData managementDecision theoryGroup actionCartesian coordinate systemPerspective (visual)Pairwise comparisonOperator (mathematics)Web pageWater vaporInformationCore dumpVariety (linguistics)Content management systemTraffic reportingOffice suitePlug-in (computing)ResultantLine (geometry)RankingGreatest elementFlow separationPhase transitionOpen setContent (media)Lecture/Conference
12:06
Information securityOffice suitePoint (geometry)Web applicationOpen setArmFunctional (mathematics)MultiplicationView (database)Uniform resource locatorThermal expansionGame controllerContent management systemProjective planePhysical systemCartesian coordinate systemEvent horizonDampingData managementDecision theoryObservational studyConfiguration spaceConnectivity (graph theory)Formal languageCivil engineeringVulnerability (computing)Extension (kinesiology)Level (video gaming)WebsiteLecture/Conference
14:51
WaveWebsiteConfiguration spaceMultiplication signInformationDistanceCASE <Informatik>System administratorService (economics)Different (Kate Ryan album)Point (geometry)Group actionInternet service providerPhysical systemSoftware developerOperator (mathematics)Information securityLibrary catalogCartesian coordinate systemSheaf (mathematics)Observational studyLatent heatWordUniform resource locatorPerformance appraisalOpen sourcePatch (Unix)Installation artSoftwareMultiplicationCuboidVirtual realityLibrary (computing)Exception handlingConnectivity (graph theory)Endliche ModelltheorieInformation Technology Infrastructure LibraryPermanentLecture/Conference
20:56
TelecommunicationPoint (geometry)Physical systemStatement (computer science)WordTraffic reportingInformation securityLecture/Conference
21:46
Flow separationBitSoftware developerVulnerability (computing)CodePresentation of a groupProduct (business)Information securitySoftware testingPoint (geometry)Word2 (number)Software maintenanceAuthenticationWeb pageFluid staticsCode refactoringSheaf (mathematics)InformationAuthorizationTest-driven developmentPhysical systemMobile appSkeleton (computer programming)Authoring systemRevision controlSystem identificationObservational studyPlanningTime zoneScaling (geometry)Lecture/Conference
25:06
InformationPoint (geometry)Revision controlInformation securityTranslation (relic)Electronic mailing listMobile appLecture/Conference
25:57
Information securityProcess (computing)Metropolitan area networkLecture/Conference
Transcript: English(auto-generated)
00:11
Okay. Hello. I think we can start already. One note before the talk. I present a security
00:25
study done by the German BSE. So I'm just the messenger and please do not shoot the messenger. Well, Plon is a success in security. The German BSE has released in June a security
00:56
study on content management systems. Well, what is the BSE? It's the German Office for
01:10
Information Security and it's the authority for all IT security questions. Even the European institution Ineser, that's doing almost the same, is structured after the German BSE.
01:26
And the president of the Ineser at the moment, Professor Helmbrecht, was the previous BSE president and he was one of our keynotes at the Plon conference Germany 2000. It was
01:45
nice. Well, what was the reason for the study? Exposed systems like CMS are a major attacking point and the BSE just gives security advices for public institutions to protect
02:04
their IT infrastructure. Well, what was the reviewed CMS? So it was Drupal, WordPress, Plon, Joomla and Typo3. Well, I want to give you some words on mine, why I'm presenting it.
02:25
Well, I'm originally head of the internet department of the LMU, Germany's largest university and only federal agencies were invited to the official presentation of the
02:42
study. I was one of the very, very few university guys and from the state level that were invited. I was the only community member at all that was at the official presentation.
03:00
Well, there's a nice thing about the timeline, how it gets presented. There was a pre-presentation at the Linux talk. There are some side notes that I want to present you to know that. So there was the official presentation and then the publication of the
03:23
paper to the broader audience. Well, if you're looking at the announcement of the presentation for the Linux talk, it says there are eight selected systems. Well, if you know something
03:40
about the BSE, it's really simple to see if they have only reviewed five open source systems there has gone something wrong because all federal offices are recommended to use one
04:02
commercial system, the government site builder. The BSE itself uses a system called First Spirit. So why isn't there in the study they have been reviewed? Well, it was an information that they
04:20
give on the Linux day that, well, they just talk with the legal departments of those companies and they are not allowed to publish it. Interesting fact. Well, some notes about the authors of the study. It's done by the init, DE. It's a, well, a consultant's group with
04:47
more than 300 persons located in Berlin. They do a lot of lobbying in Germany and Europe for IT ideas. And the Fraunhofer Institute for Information Technology is a research institute
05:10
funded by the national federal government and they do special research on IT security.
05:22
Well, if you look at the pages of the init company, there's one thing. They do consultants on web content management systems. Well, the only open source system they do is Drupal. So you could not, I'm not saying that the study itself is doing something wrong,
05:50
but sometimes you see that there is a kind way of politics in presenting data to something.
06:22
Switched mic. Well, so you see some of the presentation of the data goes strictly in the work of enforcing Drupal a bit. So you should have that in remark if you read the study.
06:45
I have some criticism on the study itself. So if you're a decision maker or a manager, the study itself is definitely too long. No manager will read 165 pages.
07:02
For operational personnel like system administrators, the study itself is not detailed enough so it has to be even more information on it. From a scientific point of view, there are some criticism. They are very ambitious but they do not really justice it. So there are
07:28
several approaches to do it but they did not really explain why they do it and why there is the result like that. And sometimes they use a way of presentation that misleading some
07:47
information on it. Well, the study itself was structured into several parts. So basics of a content management system with an overview of the architecture of the reviewed systems.
08:06
Some current threat level and statistics of security reports. Four application scenarios with requirements and recommendations. Some kind of security audit based on the ITIL phases and the
08:22
open SAM criteria and some general conclusions and recommendations from a security perspective. So they just describe a general architecture of content management systems and Plone was the one that was most near that general approach. The PHP systems in the study shows out that they
08:49
are doing very, very a lot of things together so there's not a separation of ideas or architectural components. So it's a security risk sometimes in it.
09:06
Well, I guess who has been to Matthew's talk yesterday have already seen some of the graphics. It's a current threat level for content management systems.
09:22
What happens and what's the way of attacks go through. There was a statistics on security risks via the CISS statistics. Well, they just present the line on the bottom.
09:47
So that says that Plone has the most or the highest ranked security risk in it. But on the discussion afterwards, they said, well, Plone has the lowest amount of overall
10:02
security vulnerabilities and so it's a misleading point. You have to present both things in combination to see that maybe there are some vulnerabilities that could be risky but
10:21
in the overall point of view, there are much less than on the other systems. Well, the problem with that is that statistics is just a snapshot of the situation and well, as Matthew yesterday said, the data are not up to date. Well, if you compare the systems and look at which
10:51
vulnerabilities they normally suffer on, just a comparison to see. Well,
11:02
and they just presented how many security vulnerabilities they have found and reviewed and they make a comparison how many security vulnerabilities were in the core or in the
11:21
plugins and it's one thing that they said system should be as small as possible so you can review it. You can do security audits on it and Plone comes with a lot of the features they need for their scenarios in core so they're not that many add-ons was needed for the review
11:49
and the security architecture of Zulp itself and the way of developing add-ons for Plone has a well
12:04
structured and straightforward way and it gives you a lot of well, capabilities to develop a very secure add-on so maybe in PHP they have to do
12:23
everything from scratch and well, PHP is not that secure language. Well, after that they discuss about the open web application security project and their top 10 and they just
12:47
said that the three points for content management systems that are very, very important from their point of view is security misconfiguration, using components with known
13:02
vulnerabilities and missing function level access control but if you look at Plone almost all of them we have a concept for it and that's a good thing. So there were four application scenarios
13:22
a private event site, a civil office of a small community or village, an open government site of a small town and a medium-sized company with multiple locations. They had set some requirements in the beginning of the study but they did not really explain why they apply
13:46
which system to which scenario. Well, in the discussion they said for private event site you should not use a content management system by yourself at all. There are so many cloud hosted
14:03
or hosted content management systems that are under secure monitored so use one of them. For a civil office and the open government side they recommend either Drupal or Plone.
14:26
Well, but they said it depends on the direct requirements of it. Plone has much more advantages on the secure point of view. Drupal has more extensions that are fancy
14:44
for that point of view or requirements so just a personal decision what you choose. For the medium-sized company with multiple locations well the recommendation was that all
15:01
systems could be applied. They preferred to recommend either Drupal or Typo3 as they are shipping some shopping models with them and that's the only reason. If they said on the other side if you do not need a shop go for Plone. It's much more secure and scalable. Well,
15:30
then there was a security audit based on IT interfaces. It's the IT infrastructure library for those who don't know with service design, service transition, service operations so that's
15:44
just a catalog of requirements. They said for a security application should be fulfilled and well it's almost half of the study that's just the evaluation of that.
16:01
But let's go into the conclusions and recommendations of them. They have some general recommendations and conclusions. Well, the first thing is open source is at least as secure as commercial software. There's no security reason to say we have to go for a commercial one.
16:26
They said never use a system as is. Out of the box security is dangerous for almost all systems except Plone. Plone ships with a very, very well starting configuration for it. But they
16:47
said well for the final site, for the final portal you do, you have to do some more configurations. Yeah, indeed. But it's a good starting point and there's one thing that they
17:06
said. Every system should get at least 15 minutes of care per day. If I remind me last year Steve on his talk about how to manage a Plone site, it was his recommendation too. You should at
17:25
least take a few minutes per day, go through the logs, look what has happened, look at the monitoring devices and everything, do it. And we have a lot of capabilities to monitor our sites.
17:41
So the sum up of the recommendations is service providers must be able to apply any patches permanently. Service providers should design their websites before they put them on. The principle of defense in deep is paramount importance. Service providers should constantly monitor
18:05
their websites and a secure configuration must be supported across the infrastructure based off the main application purpose. Well, let's go into deep for the Plone specific
18:21
facts, phrases, criticism and recommendations. Well, at first they really, really praised the security overview of Plone. It's the only system that has all the information in one place and presented it to customers. Wow.
18:44
The second thing is the installers, especially the unified installer. It brings that much to you and gives you security. It does not
19:04
misconfigure your system at all. Well, everybody of you who know Plone did know that we are doing virtual environments built out so that we are isolated. And that's a very, very good point they said. We should enforce it. And the other point is that we
19:27
are bringing with the installer the CEO concept, even with us. And they said spreadability of critical components to increase performance and availability out of the box is one of the major,
19:40
major things of Plone that you should look at. It's very strong thing. Well, there are some downsides. Most of the study, as I said, was the security audit, the review of the ITIL criteria. And they have an approach that they just look for
20:09
each question at maximum 15 minutes. If they do not find an information within this time, you're downvoted. Well, our documentation sucks in that case because then try to focus on
20:30
different groups of person. So a user, a system administrator, a developer. We do have a lot of documentation for the developers. We do not have a special section for a system administrator
20:46
to find information. And if you do not know our wording, you did not find the right information. But well, we have to care about it. And I guess we all know that it is.
21:03
We should enforce on that. Well, everything is about communication. And the transparency of communication was praised a lot. And there I want to make big thanks to you, Matthew, as you were the major contact point of them. And thank you for your good work.
21:32
Our statement that Plone has an extra reporting channel so that you do not have a ticket system that is public for security issues. They said, well, it's quite a safety win. It's a quick safety
21:49
win. And that's something you should have. Another thing is they really praise our pluggable authentication system that we are able to plug in every kind of authorization and authentication
22:05
and authorization system. And they praise SoapScale. I hope everybody knows SoapScale. That SoapScale brings skeletons for development of add-ons and some kind of best practice,
22:28
how to develop X or add-on products for Plone is really, really a good thing. And we have some reactions on the study already. Well, I find it very funny.
22:47
Last year in Arnheim, we stand in front of the second room and there's a sentence written over it. It says, most people stay silent only if you act. And that's how community,
23:03
even our community, is we act and it's a good thing that we do it. Well, there was a refactoring of the security section of Plone R. So there's a new Plone hotfix page.
23:24
Yeah. So thank you all for the security team and the persons that work on it. So especially there was Plone app vulnerabilities and security mockups. So thank you for the persons. So I see Matthew, Paul, Ramon, and several others. Eric, yeah, who work on it. Thank you for
23:48
that. So there's a new presentation of which Plone versions are supported and under maintenance. There's a new presentation of the CVE information. And there's one thing probably not
24:08
everybody of you know. There was one thing that they really recommend. We should have static code checks over all development. We have it already. We have a very good test-driven
24:26
development. We have a lot of testings of all. But, well, Timo Stolenberg just released Plone Recype code in a little bit that can check all of your code and make
24:44
recommendations or said word is something that you should change. And that's very, very good thing. So said that he's not here but I think everybody of you who see him should give him a thank for that. Well, I myself have a few ideas how we can go further
25:06
and make Plone even more better in a point of secure marketing. So probably we could do a translation of the auditing list and just give the point to the right documentation
25:25
where you find it. Doing a version hotfix information through JavaScripts on our Plone control panel on the customers so that it says, okay, if I load it, there's a new version.
25:42
There are hotfixes that I should apply on. And one thing is our security overview is on the OS app version of 2010. There's a new version of 2013. So we should update it. So thank you. Any questions? So then at the end, I just
26:13
please you to give an applause to the fabulous security man, Matthew, that they did a good job.