CMS Security Justin Klein Keane CMS Working Group March 3, 2010.

Slides:

Advertisements

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Advertisements

A Guide to Open Source Technologies for Project Managers Cameron Barrett.

High level QA strategy for SQL Server enforcer

Project Management Summary Castor Development Team Castor Readiness Review – June 2006 German Cancio, Giuseppe Lo Presti, Sebastien Ponce CERN / IT.

Acquia Cloud Drupal Platform-as-a-Service. Market Size [1,00,000+ sites] Innovation [10,000+ modules] Community [500,000+ members] “… is as much a Social.

Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.

Your Logo Here An Administrative Framework for the Blackboard Academic Suite Presented By Chris J Jones University of Oklahoma HSC April 13, 2005.

John Langsford 13 September 2006 CI Implementation Project.

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

May 11, 2011 PHP Hypertext Preprocessor. What is the technology? ✤ Server side scripting and programming language. ✤ Can be embedded in HTML ✤ Free and.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Engineering the Cloud Andrew McCombs March 10th, 2011.

Patch Management Strategy

Does Change Management Include Patches? Joel Howard, RingMaster Software Northern California OAUG San Ramon 2004.

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

Release & Deployment ITIL Version 3

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Alfresco – An Open Source Content Management System - Bindu Nayar, Bhavana Mohanraj.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

UML - Development Process 1 Software Development Process Using UML (2)

1 Modular Software/ Component Software 2 Modular Software Code developed in modules. Modules can then be linked together to produce finished product/program.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Security and Privacy Services Cloud computing point of view October 2012.

INFSO-RI Quality Assurance with ETICS – multi- node automated testing CGW 09 M.Zurek, A. A. Rodriguez, A. Aimar, A. di Meglio, L. Dini CERN Krakow,

Tools and software process for the FLP prototype B. von Haller 9. June 2015 CERN.

Information Systems Security Computer System Life Cycle Security.

Starting a New Project at IPAC Lee Bennett IPAC Systems Engineering Team Lead June

Software Testing Life Cycle

Promoting Open Source Software Through Cloud Deployment: Library à la Carte, Heroku, and OSU Michael B. Klein Digital Applications Librarian

EMI INFSO-RI EMI SA2 Report Quality Assurance Alberto Aimar (CERN) SA2 WP Leader.

Introduction to Internet Programming (Web Based Application)

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

What is a life cycle model? Framework under which a software product is going to be developed. – Defines the phases that the product under development.

EMI INFSO-RI EMI Quality Assurance Processes (PS ) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.

 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.

1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.

Copyright 2012 PITSS America LLC 1 Protect, Extend, and Evolve – Start Preparing Your Oracle Forms & Reports Application For The Future!

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Formal Methods in Software Engineering

Kuali Rice at Indiana University From the System Owner Perspective July 29-30, 2008 Eric Westfall.

GRID Zhen Xie, INFN-Pisa, on DataGrid WP6 meeting1 Globus Installation Toolkit Zhen Xie On behalf of grid-release team INFN-Pisa.

© 2008 by Shawn Spiars; made available under the EPL v1.0 | March 17, 2008 Case Study – Phurnace Software and RCP Shawn Spiars Lead UI Developer Phurnace.

Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.

Mobile Testing Overview. Agenda Mobile application quality poses a unique challenge Mobile changes the ALM cycle – Interoperability is unique to mobile.

Understand why software needs installing or upgrading

CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007.

Site Services and Policies Summary Dirk Düllmann, CERN IT More details at

2: Operating Systems Networking for Home & Small Business.

©Ian Sommerville 2007COTS-based System Engineering Slide 1 COTS-based System Engineering.

SCD Monthly Projects Meeting 2014 Scientific Linux Update Rennie Scott January 14, 2014.

Process Improvement Map

Let's talk about Linux and Virtualization in 'vLAMP'

The Development Process of Web Applications

Theodore Lawson CSCE548 Student Presentation, Topic #2

Cloud Ops Master Class:

Maintaining software solutions

Copyright Justin C. Klein Keane

Using docker containers

Lesson 1 Understanding Software Quality Assurance

JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS

Your code is not just…your code

Continuous Integration

Security at the Source.

PLANNING A SECURE BASELINE INSTALLATION

Your code is not just…your code

Presentation transcript:

CMS Security Justin Klein Keane CMS Working Group March 3, 2010

Overview Background in CMS development  ASP, Java, Cold Fusion, Perl, Python and PHP CMS security generalities  Specifics drawn from SAS deployment of Drupal

Insecurity is a Given Software engineering studies show bugs per KLOC  Predicatable average # of bugs in code  Some portion are security related Some vulnerabilities are not functional flaws Information security is an evolving space

Considering a CMS Given any system chosen will be insecure: How do you choose a CMS?

Ubiquity How widely used is the CMS? Recognize this could mean higher risk Wide use may also mean more eyeballs  But not necessarily

Modularity Is the system monolithic?  Important in understanding impact  Also affects upgrades How does modularity affect scope?

Patch Management/Upgrade How easy is upgrade?  Monitor for advisories  Evaluate  Acquire  Prioritize and schedule  Test and approve  Create and test deploy  Deploy  Confirm  Clean up  Document

Compartmentalization Complexity is the enemy of security What is level of dependence in the system?  OS, web server, db server, programming language, etc. Component security concerns How sill component security affect the CMS?

Measuring Vulnerability Tempting to measure reported vulnerabilities  Potential false metric (more eyes = more bugs) Mean time to patch is a good metric Severity of vulnerability Better metric is project activity  People involved, update release, community “noise” Healthy dev community = faster patching

Maturity Not necessarily longevity How closely does the CMS model a “real” enterprise system? Established security team Security reporting and response procedure

User Management CMS offers power to users in varying scale How is privilege separated Can you disable/protect dangerous permissions?

Configuration Consider: Many security flaws are configuration issues How can configuration be changed to increase the security posture of your CMS? Are there security configuration guides/guidelines available?

Security Testing Automated web app testing in infancy  If used be sure to test behind authentication Manual testing is still the best way Complexity of systems obviates advantage of source code in many cases System should be tested as a whole before deployment Components should be tested prior to install Patches/upgrades should be tested Commit to a continuous security testing cycle If you don't have resources is it possible to leverage others'?

Commitment to Security Must be ongoing Security space evolves Systems are digital bonsai trees Look beyond the CMS to supporting  Technology  Process  configuration

SAS Practice Published security guidelines  Setup and Configuration guidelines Approved modules  Module approval procedure Dedicated security team doing active research

Questions?