Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMS Security Justin Klein Keane CMS Working Group March 3, 2010.

Published byMadeline Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "CMS Security Justin Klein Keane CMS Working Group March 3, 2010."— Presentation transcript:

1 CMS Security Justin Klein Keane CMS Working Group March 3, 2010

2 Overview Background in CMS development  ASP, Java, Cold Fusion, Perl, Python and PHP CMS security generalities  Specifics drawn from SAS deployment of Drupal

3 Insecurity is a Given Software engineering studies show bugs per KLOC  Predicatable average # of bugs in code  Some portion are security related Some vulnerabilities are not functional flaws Information security is an evolving space

4 Considering a CMS Given any system chosen will be insecure: How do you choose a CMS?

5 Ubiquity How widely used is the CMS? Recognize this could mean higher risk Wide use may also mean more eyeballs  But not necessarily

6 Modularity Is the system monolithic?  Important in understanding impact  Also affects upgrades How does modularity affect scope?

7 Patch Management/Upgrade How easy is upgrade?  Monitor for advisories  Evaluate  Acquire  Prioritize and schedule  Test and approve  Create and test deploy  Deploy  Confirm  Clean up  Document

8 Compartmentalization Complexity is the enemy of security What is level of dependence in the system?  OS, web server, db server, programming language, etc. Component security concerns How sill component security affect the CMS?

9 Measuring Vulnerability Tempting to measure reported vulnerabilities  Potential false metric (more eyes = more bugs) Mean time to patch is a good metric Severity of vulnerability Better metric is project activity  People involved, update release, community “noise” Healthy dev community = faster patching

10 Maturity Not necessarily longevity How closely does the CMS model a “real” enterprise system? Established security team Security reporting and response procedure

11 User Management CMS offers power to users in varying scale How is privilege separated Can you disable/protect dangerous permissions?

12 Configuration Consider: Many security flaws are configuration issues How can configuration be changed to increase the security posture of your CMS? Are there security configuration guides/guidelines available?

13 Security Testing Automated web app testing in infancy  If used be sure to test behind authentication Manual testing is still the best way Complexity of systems obviates advantage of source code in many cases System should be tested as a whole before deployment Components should be tested prior to install Patches/upgrades should be tested Commit to a continuous security testing cycle If you don't have resources is it possible to leverage others'?

14 Commitment to Security Must be ongoing Security space evolves Systems are digital bonsai trees Look beyond the CMS to supporting  Technology  Process  configuration

15 SAS Practice Published security guidelines  Setup and Configuration guidelines Approved modules  Module approval procedure Dedicated security team doing active research

16 Questions?

Download ppt "CMS Security Justin Klein Keane CMS Working Group March 3, 2010."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
A Guide to Open Source Technologies for Project Managers Cameron Barrett.

A Guide to Open Source Technologies for Project Managers Cameron Barrett.
High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
Project Management Summary Castor Development Team Castor Readiness Review – June 2006 German Cancio, Giuseppe Lo Presti, Sebastien Ponce CERN / IT.

Project Management Summary Castor Development Team Castor Readiness Review – June 2006 German Cancio, Giuseppe Lo Presti, Sebastien Ponce CERN / IT.
Acquia Cloud Drupal Platform-as-a-Service. Market Size [1,00,000+ sites] Innovation [10,000+ modules] Community [500,000+ members] “… is as much a Social.

Acquia Cloud Drupal Platform-as-a-Service. Market Size [1,00,000+ sites] Innovation [10,000+ modules] Community [500,000+ members] “… is as much a Social.
Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.

Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.
Your Logo Here An Administrative Framework for the Blackboard Academic Suite Presented By Chris J Jones University of Oklahoma HSC April 13, 2005.

Your Logo Here An Administrative Framework for the Blackboard Academic Suite Presented By Chris J Jones University of Oklahoma HSC April 13, 2005.
John Langsford 13 September 2006 CI Implementation Project.

John Langsford 13 September 2006 CI Implementation Project.
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
May 11, 2011 PHP Hypertext Preprocessor. What is the technology? ✤ Server side scripting and programming language. ✤ Can be embedded in HTML ✤ Free and.

May 11, 2011 PHP Hypertext Preprocessor. What is the technology? ✤ Server side scripting and programming language. ✤ Can be embedded in HTML ✤ Free and.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Engineering the Cloud Andrew McCombs March 10th, 2011.

Engineering the Cloud Andrew McCombs March 10th, 2011.
Patch Management Strategy

Patch Management Strategy
Does Change Management Include Patches? Joel Howard, RingMaster Software Northern California OAUG San Ramon 2004.

Does Change Management Include Patches? Joel Howard, RingMaster Software Northern California OAUG San Ramon 2004.
DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Similar presentations

Ads by Google