Plone Security, SaaS, & SOA                             Ken Wasetis . President, Contextual Corp.                         ...
PLONE SECURITY / SAAS / SOA              What Makes Plone Secure?              Security Analyses              Making Plone...
PLONE SECURITY               Python and Zope are Secure:               No Known Buffer Overflow Vulnerabilities in Python  ...
PLONE SECURITY               All Form Data gets Validated (ensures proper types/values)               Pluggable Authentica...
PLONE SECURITY                By Nature of What It Does NOT Use:                Not forced to use SQL (no SQL injection vu...
Plone Security                  Department of Homeland Security CVE/CCE Vulnerability Database:                      http:...
Plone and SOA                  SOA = Service Oriented Architecture (FB/Twitter APIs)                  SaaS = Software as a...
MAKE PLONE EVEN MORE SECURE               LoginLockout Add-on (max attempts, then lockout duration)               Password...
Plone Security In Action                                 Here we go!                               http://www.contextualco...
Ken Wasetis                                   President, Contextual Corp.                             ken.wasetis@contextu...
Case Studies                 UCLA                 RE-AMP                 IARP                 Cleversafe                 C...
Upcoming SlideShare
Loading in...5
×

Contextual Plone Security SaaS & SOA

799

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
799
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Contextual Plone Security SaaS & SOA

  1. 1. Plone Security, SaaS, & SOA Ken Wasetis . President, Contextual Corp. ken.wasetis@contextualcorp.com twitter . irc . skype: ctxlken http://www.contextualcorp.comSaturday, November 5, 2011
  2. 2. PLONE SECURITY / SAAS / SOA What Makes Plone Secure? Security Analyses Making Plone Even More Secure Integration Capabilities Existing Service Connectors Add-on Modules http://www.contextualcorp.comSaturday, November 5, 2011
  3. 3. PLONE SECURITY Python and Zope are Secure: No Known Buffer Overflow Vulnerabilities in Python Fine-grained Permissions (at every object level) in Zope True ACLs in Zope Workflow Permissions for Groups/Users/Roles http://www.contextualcorp.comSaturday, November 5, 2011
  4. 4. PLONE SECURITY All Form Data gets Validated (ensures proper types/values) Pluggable Authentication Services (PAS are stackable, orderable) Integration with LDAP, AD, Shibboleth, CAS, OpenID, ... Default settings disallow/strip potentially malicious code from content (prevent cross-site scripting) <script>, <embed>, <object>, <form> ... Used by DoD, FBI, NASA, Google, Navy, U.S. Air Force, Royal Bank of Scotland, ... http://www.contextualcorp.comSaturday, November 5, 2011
  5. 5. PLONE SECURITY By Nature of What It Does NOT Use: Not forced to use SQL (no SQL injection vulnerabilities) See: http://en.wikipedia.org/wiki/Sql_injection Not forced to run on Windows (as with .Net-based tools) Plone error pages do not reveal server/app information Dedicated release manager Professional development processes More info: http://plone.org/products/plone/security/overview http://www.contextualcorp.comSaturday, November 5, 2011
  6. 6. Plone Security Department of Homeland Security CVE/CCE Vulnerability Database: http://cve.mitre.org Plone Metrics Blog: http://plonemetrics.blogspot.com/2010/04/cms-security.html http://www.contextualcorp.comSaturday, November 5, 2011
  7. 7. Plone and SOA SOA = Service Oriented Architecture (FB/Twitter APIs) SaaS = Software as a Service (Salesforce.com, etc.) Built-in XML-RPC SOAP and other Python libraries Authentication via LDAP, AD, OpenID, SQL, CAS, Facebook, many other PAS Custom PAS / Single Sign-On Diazo for Seamless Theme Experience (Plone, .Net, PHP, Java SaaS apps) http://www.contextualcorp.comSaturday, November 5, 2011
  8. 8. MAKE PLONE EVEN MORE SECURE LoginLockout Add-on (max attempts, then lockout duration) PasswordStrength Add-on (editable regex rules/validation messages) - Must contain alpha + num - Must contain 8-12 characters - No repeating characters - Must contain special characters... Stay Current on Versions (OS, Web Server, Python, Zope, Plone, Add-ons) Securely Configure Your Web and Mail Servers (Apache, ngnix, etc.) SSL http://www.contextualcorp.comSaturday, November 5, 2011
  9. 9. Plone Security In Action Here we go! http://www.contextualcorp.comSaturday, November 5, 2011
  10. 10. Ken Wasetis President, Contextual Corp. ken.wasetis@contextualcorp.com http://www.contextualcorp.com twitter . irc . skype: ctxlkenSaturday, November 5, 2011
  11. 11. Case Studies UCLA RE-AMP IARP Cleversafe Chicago History Museum College of American Pathologists Live Nation / Clear Channel / Feld http://www.contextualcorp.comSaturday, November 5, 2011
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×