Contextual Plone Security SaaS & SOA
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Contextual Plone Security SaaS & SOA

  • 939 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
939
On Slideshare
938
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
14
Comments
0
Likes
1

Embeds 1

https://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Plone Security, SaaS, & SOA Ken Wasetis . President, Contextual Corp. ken.wasetis@contextualcorp.com twitter . irc . skype: ctxlken http://www.contextualcorp.comSaturday, November 5, 2011
  • 2. PLONE SECURITY / SAAS / SOA What Makes Plone Secure? Security Analyses Making Plone Even More Secure Integration Capabilities Existing Service Connectors Add-on Modules http://www.contextualcorp.comSaturday, November 5, 2011
  • 3. PLONE SECURITY Python and Zope are Secure: No Known Buffer Overflow Vulnerabilities in Python Fine-grained Permissions (at every object level) in Zope True ACLs in Zope Workflow Permissions for Groups/Users/Roles http://www.contextualcorp.comSaturday, November 5, 2011
  • 4. PLONE SECURITY All Form Data gets Validated (ensures proper types/values) Pluggable Authentication Services (PAS are stackable, orderable) Integration with LDAP, AD, Shibboleth, CAS, OpenID, ... Default settings disallow/strip potentially malicious code from content (prevent cross-site scripting) <script>, <embed>, <object>, <form> ... Used by DoD, FBI, NASA, Google, Navy, U.S. Air Force, Royal Bank of Scotland, ... http://www.contextualcorp.comSaturday, November 5, 2011
  • 5. PLONE SECURITY By Nature of What It Does NOT Use: Not forced to use SQL (no SQL injection vulnerabilities) See: http://en.wikipedia.org/wiki/Sql_injection Not forced to run on Windows (as with .Net-based tools) Plone error pages do not reveal server/app information Dedicated release manager Professional development processes More info: http://plone.org/products/plone/security/overview http://www.contextualcorp.comSaturday, November 5, 2011
  • 6. Plone Security Department of Homeland Security CVE/CCE Vulnerability Database: http://cve.mitre.org Plone Metrics Blog: http://plonemetrics.blogspot.com/2010/04/cms-security.html http://www.contextualcorp.comSaturday, November 5, 2011
  • 7. Plone and SOA SOA = Service Oriented Architecture (FB/Twitter APIs) SaaS = Software as a Service (Salesforce.com, etc.) Built-in XML-RPC SOAP and other Python libraries Authentication via LDAP, AD, OpenID, SQL, CAS, Facebook, many other PAS Custom PAS / Single Sign-On Diazo for Seamless Theme Experience (Plone, .Net, PHP, Java SaaS apps) http://www.contextualcorp.comSaturday, November 5, 2011
  • 8. MAKE PLONE EVEN MORE SECURE LoginLockout Add-on (max attempts, then lockout duration) PasswordStrength Add-on (editable regex rules/validation messages) - Must contain alpha + num - Must contain 8-12 characters - No repeating characters - Must contain special characters... Stay Current on Versions (OS, Web Server, Python, Zope, Plone, Add-ons) Securely Configure Your Web and Mail Servers (Apache, ngnix, etc.) SSL http://www.contextualcorp.comSaturday, November 5, 2011
  • 9. Plone Security In Action Here we go! http://www.contextualcorp.comSaturday, November 5, 2011
  • 10. Ken Wasetis President, Contextual Corp. ken.wasetis@contextualcorp.com http://www.contextualcorp.com twitter . irc . skype: ctxlkenSaturday, November 5, 2011
  • 11. Case Studies UCLA RE-AMP IARP Cleversafe Chicago History Museum College of American Pathologists Live Nation / Clear Channel / Feld http://www.contextualcorp.comSaturday, November 5, 2011