Hi, I need to convince my client that Umbraco has security and penetration vulnerabilities secured. I cannot find any documentation on Umbraco’s security credentials. Eg. How does Umbraco test/document security vulnerabilities in any code they produce.
Why is this not available? Can anyone help or anyone who has done any Pen Tests, can they provide information to me. I really want to win this project with client, but this issue seems to be a sticking point.
Security and penetration testing is a tricky business, as the companies who specialise in that field are usually very very good - and thorough. So generally if a vulnerability is found, the last thing anyone wants is mass panic and exposing threats to existing websites/users.
Many Umbraco websites that I have developed have gone through penetration tests and only a couple of times there has been a genuine concern - which at that point I would contact the Core/HQ team via a private ticket on the issue tracker. That way only the people who need to see the issue are involved.
In those few occasions where there has been a critical issue, the Core/HQ team have resolved the issue promptly, with a patch release.
As for the credentials - the passwords are hashed + salted and stored in the database. For added security you can enable HTTPS/SSL for the back-office, so that a user's password is not send as clear-text over the wire.
Thanks for your speedy reply Lee. I do understand that security vulnerabilities shouldn’t be mass reported - too risky!
What I’m really after is a security spec from Umbraco that details what security initiatives are in place to make Umbraco a robus and impenetrable CMS.
I haven't seen any security implementation docs about Umbraco. It is worth dropping a message to the Core dev mailing list, as someone on there may have something? (Posting here is fine, but the mailing list has a different audience)
Need to sell Umbraco security credentials to client
Hi, I need to convince my client that Umbraco has security and penetration vulnerabilities secured. I cannot find any documentation on Umbraco’s security credentials. Eg. How does Umbraco test/document security vulnerabilities in any code they produce.
Why is this not available? Can anyone help or anyone who has done any Pen Tests, can they provide information to me. I really want to win this project with client, but this issue seems to be a sticking point.
Immediate help would be much appreciated.
Hi Robert,
Security and penetration testing is a tricky business, as the companies who specialise in that field are usually very very good - and thorough. So generally if a vulnerability is found, the last thing anyone wants is mass panic and exposing threats to existing websites/users.
Many Umbraco websites that I have developed have gone through penetration tests and only a couple of times there has been a genuine concern - which at that point I would contact the Core/HQ team via a private ticket on the issue tracker. That way only the people who need to see the issue are involved.
In those few occasions where there has been a critical issue, the Core/HQ team have resolved the issue promptly, with a patch release.
For details on how major vulnerabilities are dealt with, see the blog post from May 2013 (Security update - two major vulnerabilities found)
As for the credentials - the passwords are hashed + salted and stored in the database. For added security you can enable HTTPS/SSL for the back-office, so that a user's password is not send as clear-text over the wire.
Cheers,
- Lee
Thanks for your speedy reply Lee. I do understand that security vulnerabilities shouldn’t be mass reported - too risky!
What I’m really after is a security spec from Umbraco that details what security initiatives are in place to make Umbraco a robus and impenetrable CMS.
Cheers, Rob
Hi Rob,
I haven't seen any security implementation docs about Umbraco. It is worth dropping a message to the Core dev mailing list, as someone on there may have something? (Posting here is fine, but the mailing list has a different audience)
https://groups.google.com/forum/#!forum/umbraco-dev
Cheers,
- Lee
is working on a reply...