Vulnerabilities (statistic), Possible risks, What is security in a CMS, A lot of tips, Server / CMS funnel, ImpressCMS security features

1. My Name is René Sato from the Project “ImpessCMS”. Thank you for visiting this presentation. Our topic is today: CMS and Security Welcome – CMS Security

3. Vulnerabilities: the candidates

4. Vulnerabilities: CMS / year

5. Security is not a measure -> the question is subjective. Same like: What is „hot“ Security and money -> elaborate for the application -> but you have to protect the important informations Security and usability -> user access control is maybe a barrier -> Session-Timeout is not user friendly -> Password meter is confusing the visitor But in the most of the case you need the elements. Therefore: Security is supposed to be part of the „master plan“ for a new Website. Therefore, always keep in mind security. What is security in a CMS

6. piracy (data theft) data loss image damage of your company identity theft / identity fraud unavailability of your website, after a attack attacks against users by the CMS possible risks

7. 10 tips and more

8. Use “.htaccess” and protect your folders A lot of tips - 1/10

9. Create a “robots.txt” and disallow folders A lot of tips – 2/10

10. Server error handling (401 – 505) with your CMS A lot of tips – 3/10

11. Change the META content for “generator” A lot of tips – 4/10

12. Create a difficult database prefix A lot of tips – 5/10

13. Enable SSL for their domain A lot of tips – 6/10

14. Use SFTP only A lot of tips – 7/10

15. Secure E-mail addresses in your website with “GD protection” or “reCaptcha” * don’t use a default admin as an access * pickup a secure password for the admin A lot of tips – 8/10

16. Ban all spamers and bots A lot of tips – 9/10

17. don’t use a default admin as an access and pickup a secure password for the admin Good passwords for your users A lot of tips – 10/10

18. Other tips Increase your awareness. Subscribe to your CMS Development Blog. It should be on your list of feed so you are updated about recent development, including security issues. Update. Your CMS takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I don’t mean just the core code, but also the plugins, libraries and or modules. Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution. Backup often. There is no reason not to do so because you can easily schedule backups of your CMS database and files. Be safe rather than sorry. A lot of tips – other

19. Server / CMS funnel Web Server- Database- and CMS Security funnel 1. intelligent server security 2. database security 3. basic CMS configuration 4. CMS user groups 5. CMS user permissions 6. Module permissions 7. third-party libraries 8. check attacks 9. update your system 10. go back to 1.

20. * randomize database table prefix * separate sensitive data and place in “trust path” * randomize the “trust path” directory name * randomize the name of the secure data file * full integration with HTML Purifier (with options) * multiple password hash options, selectable by site * admin warnings for practices not followed * of course, protector module * session regeneration on login * using salt keys * protect email addresses against SPAM * handling of server-errors * the installer don't create a default admin * password meter (with security level) for the user * 17 password encryption (recommend is SHA256) ImpressCMS security features

21. Any questions? If not, I like to present you our ImpressCMS now... www.impresscms.org

22. Icons by: GNOME Desktop Created by: René Sato http://www.impresscms.de Thank you / Credits Thank you: skenow, phoenyx, Madfish, david Thank you to all Open Source CMS around the world.