Your SlideShare is downloading. ×
Contextual Plone Security SaaS & SOA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Contextual Plone Security SaaS & SOA

742
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
742
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Plone Security, SaaS, & SOA Ken Wasetis . President, Contextual Corp. ken.wasetis@contextualcorp.com twitter . irc . skype: ctxlken http://www.contextualcorp.comSaturday, November 5, 2011
  • 2. PLONE SECURITY / SAAS / SOA What Makes Plone Secure? Security Analyses Making Plone Even More Secure Integration Capabilities Existing Service Connectors Add-on Modules http://www.contextualcorp.comSaturday, November 5, 2011
  • 3. PLONE SECURITY Python and Zope are Secure: No Known Buffer Overflow Vulnerabilities in Python Fine-grained Permissions (at every object level) in Zope True ACLs in Zope Workflow Permissions for Groups/Users/Roles http://www.contextualcorp.comSaturday, November 5, 2011
  • 4. PLONE SECURITY All Form Data gets Validated (ensures proper types/values) Pluggable Authentication Services (PAS are stackable, orderable) Integration with LDAP, AD, Shibboleth, CAS, OpenID, ... Default settings disallow/strip potentially malicious code from content (prevent cross-site scripting) <script>, <embed>, <object>, <form> ... Used by DoD, FBI, NASA, Google, Navy, U.S. Air Force, Royal Bank of Scotland, ... http://www.contextualcorp.comSaturday, November 5, 2011
  • 5. PLONE SECURITY By Nature of What It Does NOT Use: Not forced to use SQL (no SQL injection vulnerabilities) See: http://en.wikipedia.org/wiki/Sql_injection Not forced to run on Windows (as with .Net-based tools) Plone error pages do not reveal server/app information Dedicated release manager Professional development processes More info: http://plone.org/products/plone/security/overview http://www.contextualcorp.comSaturday, November 5, 2011
  • 6. Plone Security Department of Homeland Security CVE/CCE Vulnerability Database: http://cve.mitre.org Plone Metrics Blog: http://plonemetrics.blogspot.com/2010/04/cms-security.html http://www.contextualcorp.comSaturday, November 5, 2011
  • 7. Plone and SOA SOA = Service Oriented Architecture (FB/Twitter APIs) SaaS = Software as a Service (Salesforce.com, etc.) Built-in XML-RPC SOAP and other Python libraries Authentication via LDAP, AD, OpenID, SQL, CAS, Facebook, many other PAS Custom PAS / Single Sign-On Diazo for Seamless Theme Experience (Plone, .Net, PHP, Java SaaS apps) http://www.contextualcorp.comSaturday, November 5, 2011
  • 8. MAKE PLONE EVEN MORE SECURE LoginLockout Add-on (max attempts, then lockout duration) PasswordStrength Add-on (editable regex rules/validation messages) - Must contain alpha + num - Must contain 8-12 characters - No repeating characters - Must contain special characters... Stay Current on Versions (OS, Web Server, Python, Zope, Plone, Add-ons) Securely Configure Your Web and Mail Servers (Apache, ngnix, etc.) SSL http://www.contextualcorp.comSaturday, November 5, 2011
  • 9. Plone Security In Action Here we go! http://www.contextualcorp.comSaturday, November 5, 2011
  • 10. Ken Wasetis President, Contextual Corp. ken.wasetis@contextualcorp.com http://www.contextualcorp.com twitter . irc . skype: ctxlkenSaturday, November 5, 2011
  • 11. Case Studies UCLA RE-AMP IARP Cleversafe Chicago History Museum College of American Pathologists Live Nation / Clear Channel / Feld http://www.contextualcorp.comSaturday, November 5, 2011

×