The CIA Mindset: Securing Your WordPress Code” on March 19th. Using the classic CIA Security Triad, David will explore how developers can have more confidence in the Confidentiality, Integrity and Availablity regarding their own WordPress Sites, plugins and themes.
2. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
A C I A M I N D S E T
P L A N N I N G Y O U R W O R D P R E S S S I T E ’ S S E C U R I T Y ( F O R D E V E L O P E R S )
David Brumbaugh - Web Engineer 10Up
A premiere web design & development consulting service provider,
and a contributor to open platforms like WordPress.
3. 7 0 % O F
W O R D P R E S S
S I T E S
V U L N E R A B L E
O C TO B E R 2 0 1 3 , I N F O R M AT I O N W E E K :
That’s Over 100M Sites
These Vulnerabilities are Preventable
4. I T S H O U L D P E R M E AT E H O W W E C O D E
Security is a Mindset
6. W O R D P R E S S
C I A C O D I N G
• ENVIRONMENTAL
FACTORS
• CODE FOR
CONFIDENTIALITY
• CODE FOR INTEGRITY
• CODE FOR AVAILABILITY
7. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O N F I D E N T I A L I T Y
• Personal Information
• Names, Email Addresses
• Customer Information
• Order History
• Sensitive Information
• Payment Information, Passwords, Health Data
8. I F T H E H O S T I S C O M P R O M I S E D - Y O U R C O D I N G D O E S N ' T M AT T E R .
C O N F I D E N T I A L I T Y: H O S T I N G
C U LT I VAT E A G O O D R E L AT I O N S H I P W I T H T H E H O S T. AV O I D “ B L A M E G A M E ” .
W I T H A N E W ( O R L A R G E ) H O S T I U S U A L LY S TA RT T H E S U P P O RT T I C K E T
W I T H : “ I A M A D E V E L O P E R ”
9. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O N F I D E N T I A L I T Y - W O R D P R E S S
Front End vs. Back End
Roles and Capabilities
Built In and Custom
Business Decisions - Purpose of Code
Should Match Responsibilities
10. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
S TA N D A R D R O L E S
• Super Admin
• Administrator
• Editor
• Author
• Contributor
• Subscriber
S A M P L E C A PA B L I T I E S
• edit_users
• activate_plugins
• delete_others_pages
• upload_files
• edit_posts
• read
U S I N G C A PA B I L I T I E S I N C O D E
12. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
C O D E E X A M P L E S F R O M R E P O S I TO RY
C O N F I D E N T I A L I T Y - W O R D P R E S S
Members (Justin Tadlock)
Eyes Only (Kevin Behrens & Thom Stark)
Restricted Site Access (10Up)
Editorial Access Manager (10Up)
13. P R O T E C T I O N A G A I N S T:
U N A U T H O R I Z E D
O R U N I N T E N D E D
M O D I F I C AT I O N ,
D E L E T I O N ,
O R A D D I T I O N
O F D ATA
A N D / O R P R O G R A M S .
I N T E G R I T Y
14. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
W P I N T E G R I T Y T H R E AT S
• Brute Force Attacks
• Another computer “guesses” username/password
• Username or password is intercepted (email)
• Injection Attacks
• Another computer exploits failure to comply with
best practices by injecting malicious code.
15. I N T E G R I T Y - W O R D P R E S S C O R E A D VA N TA G E S
• Open Source
• Thousands of Eyes
• Can Audit / Inspect
• YOU Should Inspect It
• https://make.wordpress.org/core/reports/
• Solid Organization Committed to Security
• Built In Security Functions (Only work if used)
• Version Updates - Automatic for Security Related,
Can (usually should) be automated
• You Should Push Security Updates ASAP
16. I N Y O U R T H E M E S
A N D P L U G I N S
• Update Procedures (i.e.
WordPress.org Repository)
• Best Practices:
• Input Validation and
Sanitization
• Validate and Escape
Output
• Beware Feature Bloat
I N T E G R I T Y
17. B R U T E F O R C E D E F E N S E
• Check for Bad Usernames (admin,
administrator etc.)
• Captcha - Advantages and
disadvantages
• Enforce Strong Passwords
• Secure Password Delivery
• Don’t Email Passwords
• Use One Time Secret
I N T E G R I T Y
18. I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Input Validation
19. I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Sanitizing: Cleaning User Input
20. I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Escaping: Securing Output
Why???
21. I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Escaping: Securing Output
How???
22. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
• A L L P L U G I N S / T H E M E S R U N AT T H E S A M E P E R M I S S I O N L E V E L
• S O M E O T H E R P L U G I N C A N M A K E Y O U R S V U L N E R A B L E
• G I T A U T O M AT I C A L LY I N C L U D E S I N T E G R I T Y C H E C K I N G
• C O N S I D E R A “ C A N O N I C A L ” F I L E I N T E G R I T Y S O U R C E :
http://www.sitepoint.com/monitoring-file-integrity/
• S E A R C H P L U G I N R E P O S I T O RY F O R :
“ S E C U R I T Y M O N I T O R I N G ”
A N D / O R “ F I L E I N T E G R I T Y M O N I T O R I N G ”
F I L E & D ATA I N T E G R I T Y
23. Y O U R W O R D P R E S S S I T E
S H O U L D B E AVA I L A B L E
TO Y O U R C U S TO M E R S ,
U S E R S ,
A D M I N I S T R ATO R S
A N D C O N T E N T C R E ATO R S
W H E N T H E Y N E E D I T.
AVA I L A B I L I T Y
24. • O F T E N A F U N C T I O N O F I N T E G R I T Y
• AT TA C K E R L O C K S U S E R S O U T
• D D O S L A U N C H E D F R O M
C O M P R O M I S E D W P S I T E S I N
2 0 1 3
• W O R K W I T H T H E H O S T
• P E R F O R M A N C E
• O P T I M I Z AT I O N ( P R O F I L E )
• C A C H E I N G
• A S S E T M A N A G E M E N T ( C D N )
AVA I L A B I L I T Y
25. David Brumbaugh• @DavidEBrumbaugh • #Team10Up• www.10iup.com/cia-biz
C . I . A . R E S O U R C E S
• developer.wordpress.org
• codex.wordpress.org
• Sanitizing Input
• Escaping Output
• Open Web Application Security Project
• owasp.org
• CERT - Computer Emergency Readiness Team
• http://www.us-cert.gov
• Subscribe to Email Alerts
• Filter your inbox by sender, WordPress
26. David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com
• P R E V I O U S LY M E N T I O N E D P L U G I N S
( W O R D P R E S S . O R G )
• B E S T P R A C T I C E S
• h t t p s : / / 1 0 u p . g i t h u b . i o / E n g i n e e r i n g - B e s t - P r a c t i c e s /
• O N E T I M E S E C R E T: h t t p s : / / s e c r e t . 1 0 u p . c o m /
M O R E C . I . A . R E S O U R C E S - F R O M 1 0 U P