Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Robert Godino 32 posts 121 karma points
    Feb 14, 2014 @ 00:29
    Robert Godino
    0

    Need to sell Umbraco security credentials to client

    Hi, I need to convince my client that Umbraco has security and penetration vulnerabilities secured. I cannot find any documentation on Umbraco’s security credentials. Eg. How does Umbraco test/document security vulnerabilities in any code they produce.

    Why is this not available? Can anyone help or anyone who has done any Pen Tests, can they provide information to me. I really want to win this project with client, but this issue seems to be a sticking point.

    Immediate help would be much appreciated.

  • Lee Kelleher 3888 posts 14668 karma points MVP 9x admin c-trib
    Feb 14, 2014 @ 00:47
    Lee Kelleher
    1

    Hi Robert,

    Security and penetration testing is a tricky business, as the companies who specialise in that field are usually very very good - and thorough. So generally if a vulnerability is found, the last thing anyone wants is mass panic and exposing threats to existing websites/users.

    Many Umbraco websites that I have developed have gone through penetration tests and only a couple of times there has been a genuine concern - which at that point I would contact the Core/HQ team via a private ticket on the issue tracker. That way only the people who need to see the issue are involved.

    In those few occasions where there has been a critical issue, the Core/HQ team have resolved the issue promptly, with a patch release.

    For details on how major vulnerabilities are dealt with, see the blog post from May 2013 (Security update - two major vulnerabilities found)


    As for the credentials - the passwords are hashed + salted and stored in the database. For added security you can enable HTTPS/SSL for the back-office, so that a user's password is not send as clear-text over the wire.

    Cheers,
    - Lee

  • Robert Godino 32 posts 121 karma points
    Feb 14, 2014 @ 01:15
    Robert Godino
    0

    Thanks for your speedy reply Lee. I do understand that security vulnerabilities shouldn’t be mass reported - too risky!

    What I’m really after is a security spec from Umbraco that details what security initiatives are in place to make Umbraco a robus and impenetrable CMS.

     

    Cheers, Rob

  • Lee Kelleher 3888 posts 14668 karma points MVP 9x admin c-trib
    Feb 14, 2014 @ 11:01
    Lee Kelleher
    0

    Hi Rob,

    I haven't seen any security implementation docs about Umbraco. It is worth dropping a message to the Core dev mailing list, as someone on there may have something? (Posting here is fine, but the mailing list has a different audience)

    https://groups.google.com/forum/#!forum/umbraco-dev

    Cheers,
    - Lee

Please Sign in or register to post replies

Write your reply to:

Draft