CMS Security - Ruth Cheesley - CMS Africa 2014

Embed Size (px)

Citation preview

CMS Security

Ruth Cheesley - @RCheesley

Good afternoon, and thank you for inviting me to speak at CMS Africa

Joomla! Community Leadership Team for just over a year User Group team, Marketing Working Group

experiences within Open Source communities, and particularly around the topic of getting more women involved in technology.

Passionate about promoting Science Tech Eng Maths as an exciting and interesting career choice for women.

Laying the foundations

Security starts before you even get to installing the CMS, it starts when you select a hosting provider

- Hosting- experience with CMS's- Linux based (personal preference)

- Security practices

- Trust- Working with contractors- Extensions

refer to joomla docs/JCM for more detail

- Resources.joomla.org

Understand permissions

It's important to understand how file & folder permissions work. Use the best practices for your CMS, don't compromise on this because your hosting environment isn't set up properly.



World

(The world, the universe, and everything)Group

(A set of users)Owner

(owns the file)Understand permissions

Read (r)


Write (w)


Execute (x)

Can view the fileChmod +r / -rNumerical value = 4

Can make changes or modify the fileChmod +w / -wNumerical value = 2

Can run the file (generally applicable at command line)Chmod +x / -xNumerical value = 1

NOTE: Folders cannot be listed and files within can't be accessed if the folder does not have execute permissions

Understand permissions

OwnerGroupWorld

7(Read + Write + Execute)rwx5(Read + Execute)r-x5(Read + Execute)r-x

6(Read + Write)rw-4(Read)(r--)4(Read)(r--)

Joomla! permissions

Your weakest link

James Steidl - Fotolia.com

- Passwords

- Updates

- Vulnerable extensions

- Viruses/compromise

Keep up to date

iQoncept - Fotolia.com

It's your job to stay up to date with security updates

Make sure that you sign up for updates from extensions and template providers

Keep up to date with CMS core updates, apply them.

This is your responsibility as web developer. If you use a CMS, you take the responsibility for keeping it secure.

Sell ethically to your clients

puckillustrations - Fotolia.com

Sell the CMS with the understanding that clients need to update

Opportunity sell them training

Opportunity sell a support contract

Be clear. Be responsible. If they aren't willing to do updates themselves, or pay you to do it, walk away.

Modern security practices

James Steidl - Fotolia.com

Keep up to date with new developments

Md5

Salting

Bcrypt

Things are changing all the time, you have to keep up to date with these changes by keeping your CMS up to date (and/or getting involved with bringing these new features to your CMS through getting involved in OS projects).

Implement 2 Factor Authentication

How many people have 2 factor authentication enabled?

Use YubiKeys or mobile phone app (Google authenticator).

Easy to implement, easy to explain, something you know (Password) and something you have (unique one time password).

Web application firewalls

Problems with spam?

Admin tools for Joomla

Project Honeypot
Stop forum spam

Black/whitelist

Look out for malicious activity and block before it gets to your site

Hide admin panel

Test your backups

Plan for disaster

Sooner or later, with all the best security, you will have a disaster happen.

Client deletes site, server gets compromised, site gets compromised.

To find more information

magazine.joomla.org

docs.joomla.org

Ruth Cheesley - @RCheesley