Security is Everyone responsibility

Transcript

1. Security it really is everyone’s responsibility @tnash

2. Tim Nash - WordPress Platform Lead & Developer Advocate at

3. DEV/SEC/OPS

4. None

5. Enterprise infrastructure Physical and Virtual hardware Workstations, laptops device chaos

   Users… lots of users, lots and lots of users. Twitter: @tnash

6. Once upon a time, in a land far far away…

   (Watford)
7. None

8. What is security?

9. Security Governance Information Security

10. Who is responsible?

11. None

12. You are!

13. None

14. Is WordPress “Secure”

15. YES!*

16. Is WordPress.org “Secure”

17. HMMM….

18. None
19. None
20. None
21. None
22. None
23. None
24. None
25. None
26. None

27. function df_save_options() { $fields = $_REQUEST; foreach($fields as $key =>

    $field) { if($key!="action") { echo $key."-".$field; update_option($key,$field); } } die(); } add_action('wp_ajax_nopriv_df_save_options', 'df_save_options'); add_action('wp_ajax_df_save_options', 'df_save_options');
28. None
29. None

30. doooomed!

31. None
32. None
33. None

34. Isolation

35. Make sure nothing is web accessible until you are sure

    things are sorted

36. Identification

37. Single entry can leave multiple re- entry points

38. Restore

39. How far back can you go?

40. Check

41. New passwords WordPress/Plugins/Themes up to date software up to date

    Users/Files audited

42. Remove from blacklists

43. It’s not just Google you need to worry about… …This

    is a long process
44. None

45. Practice good security hygiene

46. Updates…

47. Automatic updates are your friend If you worried use a

    canary

48. Update everything

49. 2 Factor Authentication

50. Google Authenticator Clef Two Factor (Feature Plugin)

51. PassPhrases

52. Long Passphrases Make it easy for you not a computer!

53. https://xkcd.com/936/

54. Password Manager…

55. Backup

56. ‘Never trust someone else to back up YOUR content, especially

    not your host’
 Tim ‘Works for a hosting company’ Nash

57. Don’t rely on WordPress to backup, use a system independent

    solution.

58. Code Guard VaultPress BlogVault

59. Have you tested your backup?

60. HTTPS

61. HTTPS (HTTP over SSL)

62. SSL (Secure Socket Layer)

63. It’s all a LIE!!!!!

64. HTTP over TLS1.2

65. HTTPS (HTTP (secure)Encrypted)

66. None

67. Browser Server Request Packet Response Packet

68. Browser Server Request Packet Response Packet Client ‘Hello’ Server ‘Hello’

    Cryptographic information Server Certificate Client Key Exchange Send’s Key info signed with servers key Sends Client Certificate Client ‘finished’ Server ‘finished’
69. None

70. HTTPS Everything

71. Let’s Encrypt no excuse https://www.ssllabs.com/ssltest/

72. Seriously HTTPS Everything, just redirect port 80 traffic

73. START SSL is really bad for your health

74. HTTP(S) Security headers

75. HSTS - Force everything over HTTPS x-site-origin - Avoid clickjacking

    Content Security Policy - specify what assets/ locations to load X-XSS-Protection - what it says Public-Key-Pins - verify certificate with second key X-Content-Type-Options - prevent auto detection of content type

76. https://wordpress.org/plugins/wp- content-security-policy/ https://wordpress.org/plugins/ security-headers/

77. Find the good plugins

78. Should you use a “security plugin”

79. YES,NO,MAYBE

80. Developers it’s your fault

81. Everyone makes mistakes, fix them, admit them move on. Make

    contact easy, or your mistake will be plastered on the web

82. Getting serious, automating security testing

83. You already do tests right?

84. Mittn BDD-Security gauntlt DIY (using tools like Codeception)

85. Getting hacked is not the end of the world

86. Security is everyones responsibility

87. Audit your plugins and theme Update all the things Use

    secure passphrases Use HTTPS Set security headers when you can Keep good logs

88. and BACKUP!

89. Tim Nash timnash.co.uk @tnash 34SP.com [email protected]