Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror

Comment Most insecure popular CMS? I don't think so! (Score 1) 78

by metamodguy (#26967153) Attached to: Joomla! Web Security

"Most insecure popular CMS out there" - That's a crazy assertion - measuring insecurity by the number of automated attacks?

If you look at milw0rm there may seem to be a number of reported vulnerabilities, but they are almost completely due to 3rd party extensions, most of which I have never heard of. And that's not surprising considering there are over 4400 3rd party extensions listed on the extensions.joomla.org site.

Modern (1.5) Joomla has come a long way and a lot of attention is being paid to security issues. One of the main mistakes people make is to install a whole bunch of 3rd party extensions that they don't understand, and have no idea how to evaluate.

Stephen Brandon

Comment Re:Yawn. Nothing to do with Joomla OR web security (Score 2, Insightful) 78

by metamodguy (#26963317) Attached to: Joomla! Web Security

OWASP is excellent and should be required study for anyone writing web applications...

m-wielgo is right on another point too - this book is not about writing secure applications using the Joomla framework. It's for people setting up Joomla web sites, not for programmers.

There are other books available on Joomla programming, including one published recently, and such information belongs in those books.

There are many aspects to security. Good programming practise is extremely important, and if the underlying CMS is badly coded then there's no point in trying to teach good sysadmin on top of it. I don't happen to think that this is such a problem with Joomla, especially recently. Some of the extensions are another matter. But when you have over 4400 extensions available for Joomla you can't assume all of them are well coded, and you need some skills to evaluate things before putting them into production on your site.

Another side of security is physical security - well covered in this book.

Another is about making good decisions in the whole process - choice of CMS, choice of hosting, choice of add-ons. Some of this is covered in this book.

Another is about contingency planning and corporate responsibility, angles that Tom Canavan addresses at length.

And so the list goes on.

When there are so few books available to train budding Joomla admins, I think the choice of angle to take in a book is very important. What's going to help the most people get up to speed on good solid security practises, and avoid the greatest number of security incidents?

I need my admins to know about apache setup/security. File permissions. PhpSuExec etc. Good passwords. HTTP Basic Auth and SSL for admin tasks. Choosing a good host. How to evaluate Joomla extensions. Good backup procedures. Logging and how to read logs. Testing. Recognising attacks. Knowing when to fix symptoms vs when to reinstall from scratch and/or move hosting.

Many of these are covered in this book (to some degree), and for that I say it's useful. At the very least it's a good start, as a lot of the skills mentioned come with practise and experience.

Stephen Brandon

Slashdot Top Deals

The difference between reality and unreality is that reality has so little to recommend it. -- Allan Sherman

Close