Typo3 Security Team

2,420 views

Published on

TYPO3 Security Team - our infrastructure, how we work, your benefits, how to help us

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,420
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Typo3 Security Team

  1. 1. TYPO3 Security Team - our infrastructure, how we work, your benefits, how to help us - by Marcus Krause <marcus@t3sec.info>
  2. 2. Overview <ul><li>what we use
  3. 3. what we do
  4. 4. how you benefit
  5. 5. how you can help </li></ul>
  6. 6. Basics <ul><li>founded in 2004
  7. 7. „ selected team of people who is very focused on security“ </li><ul><li>Helmut Hummel (team leader v4)
  8. 8. Andreas Förthner (team leader v5)
  9. 9. Dmitry Dulepov
  10. 10. Lars E. D. Jensen
  11. 11. Oliver Klee
  12. 12. Marcus Krause
  13. 13. Rove Monteaux
  14. 14. Georg Ringer
  15. 15. Jochen Weiland </li></ul></ul>
  16. 16. Infrastructure <ul><li>issue tracker
  17. 17. time tracker
  18. 18. mailing lists (non-public) </li><ul><li>team internal
  19. 19. core & security team </li></ul><li>wiki
  20. 20. separate revision control repository (planned) </li></ul>
  21. 21. How we work <ul><li>mailing lists (+)
  22. 22. IM
  23. 23. conference calls
  24. 24. real life meetings </li></ul>
  25. 25. What we do <ul><li>incident handling (core, TER)
  26. 26. answering security questions
  27. 27. create/review core security fixes
  28. 28. (paid) extension security reviews
  29. 29. coordination with upstream vendors
  30. 30. monitoring core commits
  31. 31. introducing new security features
  32. 32. user education </li></ul>
  33. 33. Core security features TYPO3 4.3 <ul><li>Cookie security
  34. 34. OpenID (sysext:openid)
  35. 35. Asymmetric encryption (sysext:rsa)
  36. 36. Salted password hashes (sysext:saltedpasswords) </li></ul>TYPO3 4.4 <ul><li>HMAC (t3lib_div) </li></ul>
  37. 37. Advisories <ul><li>announce mailing list (+) http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
  38. 38. security news feed http://news.typo3.org/xml-feeds/
  39. 39. twitter http://twitter.com/typo3_security </li></ul>
  40. 40. Advisory improvements <ul><li>Standardization
  41. 41. (Extension Security Policy)
  42. 42. ISB/CSB
  43. 43. CVSS </li></ul>
  44. 44. Least Disclosure Policy <ul><li>head start for vendor before public disclosure
  45. 45. vendor patches
  46. 46. no PoC
  47. 47. = responsible dislosure & least necessary information </li></ul>
  48. 48. Reports [email_address]
  49. 49. Reports 2009 #317
  50. 50. Your benefits <ul><li>very good code quality in core
  51. 51. constantly improved
  52. 52. competitive product (open source CMS)
  53. 53. monitored third-party addons (TER) </li></ul>
  54. 54. How to help us <ul><li>detailed vulnerability reports (version numbers, steps to reproduce, stock version, etc..)
  55. 55. quick-check of TER extension before install (DB API usage, intval, quoteStr, htmlspecialchars) </li></ul>
  56. 56. Your support <ul><li>donations to TYPO3 Association
  57. 57. supporting TYPO3 Association member </li></ul>
  58. 58. Questions <ul>? </ul>

×