2. Plone what?
• Enterprise CMS since 2001
• Among top 2% open source projects
• 340 core developers
• 300 solution providers, from 57 countries
• best security track among major CMSes
6. 10 most common
security vulnerabilities
Open Web Application Security
http://www.owasp.org/index.php/Top_10_2007#Summary
7. V1: Unvalidated Input
• All input in Plone is validated
• The framework makes sure you can never
input invalid data
8. V2: Broken Access
Control
• ACL/roles-based security model of Zope
• Unix like
• Flexible and granular
• Well-proven (+10 years in production)
9. V3: Broken Authentication and
Session Management
• Authentication: username + SHA-1 salted
hash of password
• After authentication: an SHA-1 session with
a secret and the userid (HMAC-SHA-1)
• Secrets refreshed regularly
• Can also do OpenID, OAuth, LDAP, etc.
10. V4: Cross Site Scripting
• Strong HTML filtering
• Rich-editor strips malicious tags (script,
embed, form, etc.)
• All destructive requests (deletion, privilege
escalation) must be valid HTTP POST
11. V5: Injection Flaws
• Plone doesn’t use an SQL database by default
• When it does: all communication through a
standard injection neutralizing SQL connector
12. V6: Improper Error
Handling
• No error information to site visitors
• All errors logged internally
• Visitors only see log entry number
13. V7: Insecure Configuration
Management
• Very strict security defaults out-of-the-box
• Runs as an unprivileged user
• Website users do not have access to the
file system
14. When shit hits the fan
• Two major security vulnerabilities in 2011
• Discovered by the Plone Security Team
• *Very* responsible disclosure:
• 10 days in advance
• Hotfixes for all recent major versions
(even for 2.1 from 2005)
15. Thanks!
More at:
http://plone.org/products/plone/security/overview
Nejc Zupan
NiteoWeb Ltd.
@nzupan