• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Contextual Plone Security SaaS & SOA
 

Contextual Plone Security SaaS & SOA

on

  • 871 views

 

Statistics

Views

Total Views
871
Views on SlideShare
870
Embed Views
1

Actions

Likes
1
Downloads
12
Comments
0

1 Embed 1

https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Contextual Plone Security SaaS & SOA Contextual Plone Security SaaS & SOA Presentation Transcript

    • Plone Security, SaaS, & SOA Ken Wasetis . President, Contextual Corp. ken.wasetis@contextualcorp.com twitter . irc . skype: ctxlken http://www.contextualcorp.comSaturday, November 5, 2011
    • PLONE SECURITY / SAAS / SOA What Makes Plone Secure? Security Analyses Making Plone Even More Secure Integration Capabilities Existing Service Connectors Add-on Modules http://www.contextualcorp.comSaturday, November 5, 2011
    • PLONE SECURITY Python and Zope are Secure: No Known Buffer Overflow Vulnerabilities in Python Fine-grained Permissions (at every object level) in Zope True ACLs in Zope Workflow Permissions for Groups/Users/Roles http://www.contextualcorp.comSaturday, November 5, 2011
    • PLONE SECURITY All Form Data gets Validated (ensures proper types/values) Pluggable Authentication Services (PAS are stackable, orderable) Integration with LDAP, AD, Shibboleth, CAS, OpenID, ... Default settings disallow/strip potentially malicious code from content (prevent cross-site scripting) <script>, <embed>, <object>, <form> ... Used by DoD, FBI, NASA, Google, Navy, U.S. Air Force, Royal Bank of Scotland, ... http://www.contextualcorp.comSaturday, November 5, 2011
    • PLONE SECURITY By Nature of What It Does NOT Use: Not forced to use SQL (no SQL injection vulnerabilities) See: http://en.wikipedia.org/wiki/Sql_injection Not forced to run on Windows (as with .Net-based tools) Plone error pages do not reveal server/app information Dedicated release manager Professional development processes More info: http://plone.org/products/plone/security/overview http://www.contextualcorp.comSaturday, November 5, 2011
    • Plone Security Department of Homeland Security CVE/CCE Vulnerability Database: http://cve.mitre.org Plone Metrics Blog: http://plonemetrics.blogspot.com/2010/04/cms-security.html http://www.contextualcorp.comSaturday, November 5, 2011
    • Plone and SOA SOA = Service Oriented Architecture (FB/Twitter APIs) SaaS = Software as a Service (Salesforce.com, etc.) Built-in XML-RPC SOAP and other Python libraries Authentication via LDAP, AD, OpenID, SQL, CAS, Facebook, many other PAS Custom PAS / Single Sign-On Diazo for Seamless Theme Experience (Plone, .Net, PHP, Java SaaS apps) http://www.contextualcorp.comSaturday, November 5, 2011
    • MAKE PLONE EVEN MORE SECURE LoginLockout Add-on (max attempts, then lockout duration) PasswordStrength Add-on (editable regex rules/validation messages) - Must contain alpha + num - Must contain 8-12 characters - No repeating characters - Must contain special characters... Stay Current on Versions (OS, Web Server, Python, Zope, Plone, Add-ons) Securely Configure Your Web and Mail Servers (Apache, ngnix, etc.) SSL http://www.contextualcorp.comSaturday, November 5, 2011
    • Plone Security In Action Here we go! http://www.contextualcorp.comSaturday, November 5, 2011
    • Ken Wasetis President, Contextual Corp. ken.wasetis@contextualcorp.com http://www.contextualcorp.com twitter . irc . skype: ctxlkenSaturday, November 5, 2011
    • Case Studies UCLA RE-AMP IARP Cleversafe Chicago History Museum College of American Pathologists Live Nation / Clear Channel / Feld http://www.contextualcorp.comSaturday, November 5, 2011