The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Contextual Plone Security SaaS & SOA
1. Plone Security, SaaS, & SOA
Ken Wasetis . President, Contextual Corp.
ken.wasetis@contextualcorp.com
twitter . irc . skype: ctxlken
http://www.contextualcorp.com
Saturday, November 5, 2011
2. PLONE SECURITY / SAAS / SOA
What Makes Plone Secure?
Security Analyses
Making Plone Even More Secure
Integration Capabilities
Existing Service Connectors
Add-on Modules
http://www.contextualcorp.com
Saturday, November 5, 2011
3. PLONE SECURITY
Python and Zope are Secure:
No Known Buffer Overflow Vulnerabilities in Python
Fine-grained Permissions (at every object level) in Zope
True ACLs in Zope
Workflow Permissions for Groups/Users/Roles
http://www.contextualcorp.com
Saturday, November 5, 2011
4. PLONE SECURITY
All Form Data gets Validated (ensures proper types/values)
Pluggable Authentication Services (PAS are stackable, orderable)
Integration with LDAP, AD, Shibboleth, CAS, OpenID, ...
Default settings disallow/strip potentially malicious code from content (prevent cross-site
scripting) <script>, <embed>, <object>, <form> ...
Used by DoD, FBI, NASA, Google, Navy, U.S. Air Force, Royal Bank of Scotland, ...
http://www.contextualcorp.com
Saturday, November 5, 2011
5. PLONE SECURITY
By Nature of What It Does NOT Use:
Not forced to use SQL (no SQL injection vulnerabilities)
See: http://en.wikipedia.org/wiki/Sql_injection
Not forced to run on Windows (as with .Net-based tools)
Plone error pages do not reveal server/app information
Dedicated release manager
Professional development processes
More info: http://plone.org/products/plone/security/overview
http://www.contextualcorp.com
Saturday, November 5, 2011
6. Plone Security
Department of Homeland Security CVE/CCE Vulnerability Database:
http://cve.mitre.org
Plone Metrics Blog: http://plonemetrics.blogspot.com/2010/04/cms-security.html
http://www.contextualcorp.com
Saturday, November 5, 2011
7. Plone and SOA
SOA = Service Oriented Architecture (FB/Twitter APIs)
SaaS = Software as a Service (Salesforce.com, etc.)
Built-in XML-RPC
SOAP and other Python libraries
Authentication via LDAP, AD, OpenID, SQL, CAS, Facebook, many other PAS
Custom PAS / Single Sign-On
Diazo for Seamless Theme Experience (Plone, .Net, PHP, Java SaaS apps)
http://www.contextualcorp.com
Saturday, November 5, 2011
8. MAKE PLONE EVEN MORE SECURE
LoginLockout Add-on (max attempts, then lockout duration)
PasswordStrength Add-on (editable regex rules/validation messages)
- Must contain alpha + num
- Must contain 8-12 characters
- No repeating characters
- Must contain special characters...
Stay Current on Versions (OS, Web Server, Python, Zope, Plone, Add-ons)
Securely Configure Your Web and Mail Servers (Apache, ngnix, etc.)
SSL
http://www.contextualcorp.com
Saturday, November 5, 2011
9. Plone Security In Action
Here we go!
http://www.contextualcorp.com
Saturday, November 5, 2011
10. Ken Wasetis
President, Contextual Corp.
ken.wasetis@contextualcorp.com
http://www.contextualcorp.com
twitter . irc . skype: ctxlken
Saturday, November 5, 2011
11. Case Studies
UCLA
RE-AMP
IARP
Cleversafe
Chicago History Museum
College of American Pathologists
Live Nation / Clear Channel / Feld
http://www.contextualcorp.com
Saturday, November 5, 2011