Security overview of plone

707 views

Published on

A short security overview of the Plone CMS.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
707
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Security overview of plone

    1. 1. Securityoverviewof Plone Nejc Zupan NiteoWeb Ltd. Image courtesy of http://wallpaperstock.net
    2. 2. Plone what?• Enterprise CMS since 2001• Among top 2% open source projects• 340 core developers• 300 solution providers, from 57 countries• best security track among major CMSes
    3. 3. Best security track?
    4. 4. ... in numbers(March 30, 2011)• PHP-based stacks: • Plone stack: • CVE Entries containing Drupal: 371 • CVE Entries containing Plone: 13 • CVE Entries containing Joomla: 653 • CVE Entries containing Zope: 27 • CVE Entries containing MySQL: 282 • CVE Entries containing Python: 111 • CVE Entries containing Postgre: 82 • CVE Entries containing PHP: 18,859
    5. 5. How does Plone fight for security?
    6. 6. 10 most commonsecurity vulnerabilities Open Web Application Security http://www.owasp.org/index.php/Top_10_2007#Summary
    7. 7. V1: Unvalidated Input• All input in Plone is validated• The framework makes sure you can never input invalid data
    8. 8. V2: Broken Access Control• ACL/roles-based security model of Zope• Unix like• Flexible and granular• Well-proven (+10 years in production)
    9. 9. V3: Broken Authentication and Session Management• Authentication: username + SHA-1 salted hash of password• After authentication: an SHA-1 session with a secret and the userid (HMAC-SHA-1)• Secrets refreshed regularly• Can also do OpenID, OAuth, LDAP, etc.
    10. 10. V4: Cross Site Scripting• Strong HTML filtering• Rich-editor strips malicious tags (script, embed, form, etc.)• All destructive requests (deletion, privilege escalation) must be valid HTTP POST
    11. 11. V5: Injection Flaws• Plone doesn’t use an SQL database by default• When it does: all communication through a standard injection neutralizing SQL connector
    12. 12. V6: Improper Error Handling• No error information to site visitors• All errors logged internally• Visitors only see log entry number
    13. 13. V7: Insecure Configuration Management• Very strict security defaults out-of-the-box• Runs as an unprivileged user• Website users do not have access to the file system
    14. 14. When shit hits the fan• Two major security vulnerabilities in 2011• Discovered by the Plone Security Team• *Very* responsible disclosure: • 10 days in advance • Hotfixes for all recent major versions (even for 2.1 from 2005)
    15. 15. Thanks! More at:http://plone.org/products/plone/security/overview Nejc Zupan NiteoWeb Ltd. @nzupan

    ×