SlideShare une entreprise Scribd logo

Liferay hardening principles

Ambientia
Ambientia

Liferay Road Show 12.9.2013, Sampsa Sohlman, Liferay

Technologie
1  sur  32
Télécharger pour lire hors ligne
Hardening Principles Copyright © 2000-2013 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose without express written consent of Liferay, Inc.
Time for DEMO! Let's d0 s0me hacking Time for DEMO! Let's d0 s0me hacking
WHAT IS HARDENING? “Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.” - http://www.techopedia.com/definition/24833/hardening “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” - http://en.wikipedia.org/wiki/Hardening_(computing)
LAYERS OF HARDENING NETWORK SERVER APPLICATION
NETWORK Usually Liferay Portal's operating environment has been spread out to multiple servers.
NETWORK - HARDENING Think which connections are needed? Allow Liferay server should access only servers that is required. Database, Solr, Disk- share, Web-services, staging live server.. Liferay Portal should not have direct Internet connection Connections through HTTP server Connecting to internet through Proxy Image: wikipedia.org
SERVER Liferay running at server Image: wikipedia.org
SERVER - HARDENING Server administration (Unix, Linux) No root level access, only SUDO Administrators should use own personal user id's to administer Block unnecessary ports with Firewall Disable unwanted services All the applications and services should run with their respective operating system user account. Separate disk spaces for the system, application, data, logs and temp files chroot the Application server installation
APPLICATION Liferay specific hardening principles
APPLICATION – LIFERAY #1 Remove demo data! (if exists)
APPLICATION – LIFERAY #2 Disable and change default administrative accounts. Change the username / email / password portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test
APPLICATION – LIFERAY #3 Keep you Liferay system patched!
APPLICATION – LIFERAY #4 Disable create account if registration is not required! portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true
APPLICATION – LIFERAY #5 Make sure that password are stored securely! portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better
APPLICATION – LIFERAY #6 Design permission scheme for Portal users! NEVER RUN PORTAL USER WITH ADMINISTRATION ROLE
APPLICATION – LIFERAY #7 Do not show portlets if user do not have permission! portal.properties ( default value ) layout.show.portlet.access.denied=true portal.properties ( default value ) layout.show.portlet.access.denied=true
APPLICATION – LIFERAY #8 Change authentication token / shared secret portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB
APPLICATION – LIFERAY #9 Do not change touch p_auth and p_p_auth tokens settings! portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true
APPLICATION – LIFERAY #10 Disabling autologin functionality that is not required! portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths= portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths=
APPLICATION – LIFERAY #11 HTTP / HTTPS ?
APPLICATION – LIFERAY #12 Disable Liferay remote services that are not used! portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false
APPLICATION – LIFERAY #13 Disable core-portlets or just functionality that you are not ever going to use! StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet> liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet>
APPLICATION – LIFERAY #14 Change Company encryption key size and algorithm portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES
APPLICATION – LIFERAY #15 Security Manager - PACL! portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart liferay-plugin-package.properties security-manager-enabled=true # The make work easier liferay-plugin-package.properties security-manager-enabled=true # The make work easier
APPLICATION – LIFERAY #16 Antisamy Plugin
APPLICATION – LIFERAY #17 Audit Plugin!
APPLICATION – LIFERAY #18 Log rotation!
PLUGIN DEVELOPMENT OWASP 10 Use frameworks that helps you to avoid XSS. Use Liferay API's to escape where ever necessary HTMLUtil.escape (..) etc. Liferay tags, make sure that escapeModel=true Use Lifeay permission framework ServiceBuilder: Remember to write permission checks in the remote services Support Security Manager / PACL!
RECOVERING! Make disaster recovery plan Step by step instructions to rebuild new system How to buildup system again from backups? How long time this will take? Test the plan!
WHAT ELSE? Liferay portal is only one component of your Liferay installation. Give a hardening though also to: Http server Apache: https://www.google.fi/search?q=hardening+apache2 Application server Tomcat: https://www.owasp.org/index.php/Securing_tomcat Database MySql: https://www.google.fi/search?q=hardening+mysql Other services
Thanks guys! Questions!

Recommandé

Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
Web Cache Deception Attack
Web Cache Deception AttackWeb Cache Deception Attack
Web Cache Deception AttackOmer Gil
 
OpenNTF Domino API (ODA): Super-Charging Domino Development
OpenNTF Domino API (ODA): Super-Charging Domino DevelopmentOpenNTF Domino API (ODA): Super-Charging Domino Development
OpenNTF Domino API (ODA): Super-Charging Domino DevelopmentPaul Withers
 
Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsSai Lay
 
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptx
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptxお客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptx
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptxmkoda
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Saga pattern and event sourcing with kafka
Saga pattern and event sourcing with kafkaSaga pattern and event sourcing with kafka
Saga pattern and event sourcing with kafkaRoan Brasil Monteiro
 

Recommandé

Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
Web Cache Deception Attack
Web Cache Deception AttackWeb Cache Deception Attack
Web Cache Deception AttackOmer Gil
 
OpenNTF Domino API (ODA): Super-Charging Domino Development
OpenNTF Domino API (ODA): Super-Charging Domino DevelopmentOpenNTF Domino API (ODA): Super-Charging Domino Development
OpenNTF Domino API (ODA): Super-Charging Domino DevelopmentPaul Withers
 
Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsSai Lay
 
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptx
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptxお客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptx
お客様からのセキュリティチェックを乗り越えるための SaaS のアプローチ.pptxmkoda
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Saga pattern and event sourcing with kafka
Saga pattern and event sourcing with kafkaSaga pattern and event sourcing with kafka
Saga pattern and event sourcing with kafkaRoan Brasil Monteiro
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz ExecutionHadess
 
Exactly once with spark streaming
Exactly once with spark streamingExactly once with spark streaming
Exactly once with spark streamingQuentin Ambard
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Salesforce CLI
Salesforce CLISalesforce CLI
Salesforce CLIKeir Bowden
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkinsCloudBees
 
Distribuer une librairie via maven
Distribuer une librairie via mavenDistribuer une librairie via maven
Distribuer une librairie via mavenFranck SIMON
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...HostedbyConfluent
 
MySQL Deep dive with FusionIO
MySQL Deep dive with FusionIOMySQL Deep dive with FusionIO
MySQL Deep dive with FusionIOI Goo Lee
 
Reducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive StreamsReducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive Streamsjimriecken
 
Monitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsMonitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsBen Mildren
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresKarwin Software Solutions LLC
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferayArmel Nene
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®confluent
 
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiRafik HARABI
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on dockerGeeta Raghu Vamsi Kotipalli
 

Contenu connexe

Tendances

OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz ExecutionHadess
 
Exactly once with spark streaming
Exactly once with spark streamingExactly once with spark streaming
Exactly once with spark streamingQuentin Ambard
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkinsCloudBees
 
Distribuer une librairie via maven
Distribuer une librairie via mavenDistribuer une librairie via maven
Distribuer une librairie via mavenFranck SIMON
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...HostedbyConfluent
 
MySQL Deep dive with FusionIO
MySQL Deep dive with FusionIOMySQL Deep dive with FusionIO
MySQL Deep dive with FusionIOI Goo Lee
 
Reducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive StreamsReducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive Streamsjimriecken
 
Monitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsMonitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsBen Mildren
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferayArmel Nene
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®confluent
 

Tendances (20)

OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
 
Exactly once with spark streaming
Exactly once with spark streamingExactly once with spark streaming
Exactly once with spark streaming
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Salesforce CLI
Salesforce CLISalesforce CLI
Salesforce CLI
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
 
Distribuer une librairie via maven
Distribuer une librairie via mavenDistribuer une librairie via maven
Distribuer une librairie via maven
 
Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...Expose your event-driven data to the outside world using webhooks powered by ...
Expose your event-driven data to the outside world using webhooks powered by ...
 
MySQL Deep dive with FusionIO
MySQL Deep dive with FusionIOMySQL Deep dive with FusionIO
MySQL Deep dive with FusionIO
 
Reducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive StreamsReducing Microservice Complexity with Kafka and Reactive Streams
Reducing Microservice Complexity with Kafka and Reactive Streams
 
Monitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstatsMonitoring IO performance with iostat and pt-diskstats
Monitoring IO performance with iostat and pt-diskstats
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
Best Practices for Streaming IoT Data with MQTT and Apache Kafka®
 

En vedette

EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiRafik HARABI
 
Black box security testing
Black box security testingBlack box security testing
Black box security testingAmbientia
 
Advanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityAdvanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityBordin Kijsirijareonchai
 
2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair OldfieldEmeldi Group
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and CustomizationThành Nguyễn
 
Microservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMicroservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMiguel Pastor
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
La Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesLa Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesInetum
 
Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Inetum
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 

En vedette (14)

EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on docker
 
Black box security testing
Black box security testingBlack box security testing
Black box security testing
 
Advanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityAdvanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availability
 
2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and Customization
 
Polyglot
PolyglotPolyglot
Polyglot
 
Microservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMicroservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservices
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
La Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesLa Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures Services
 
Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 

Similaire à Liferay hardening principles

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security FundamentalsAndreaCioccarelli
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns appliedLars Fronius
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 

Similaire à Liferay hardening principles (20)

Rails Security
Rails SecurityRails Security
Rails Security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security Fundamentals
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns applied
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 

Plus de Ambientia

Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Ambientia
 
Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Ambientia
 
Insight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskInsight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskAmbientia
 
APIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAPIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAmbientia
 
Miten API management toimii
Miten API management toimiiMiten API management toimii
Miten API management toimiiAmbientia
 
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaTunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaAmbientia
 
OpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetOpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetAmbientia
 
ITSM & JIRA Service Desk
ITSM & JIRA Service DeskITSM & JIRA Service Desk
ITSM & JIRA Service DeskAmbientia
 
Ambientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia
 
Liferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaLiferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaAmbientia
 
Digitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluDigitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluAmbientia
 
Liferay Audience Targeting
Liferay Audience TargetingLiferay Audience Targeting
Liferay Audience TargetingAmbientia
 
Case Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentCase Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentAmbientia
 
JIRA Portfolio
JIRA PortfolioJIRA Portfolio
JIRA PortfolioAmbientia
 
Case Containerships JIRA Service Desk
Case Containerships JIRA Service DeskCase Containerships JIRA Service Desk
Case Containerships JIRA Service DeskAmbientia
 
Liferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöLiferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöAmbientia
 
Liferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluLiferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluAmbientia
 
Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEXAmbientia
 
Liferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenLiferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenAmbientia
 

Plus de Ambientia (20)

Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10
 
Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10
 
Insight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskInsight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service Desk
 
APIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAPIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaa
 
Miten API management toimii
Miten API management toimiiMiten API management toimii
Miten API management toimii
 
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaTunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
 
OpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetOpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esitykset
 
ITSM & JIRA Service Desk
ITSM & JIRA Service DeskITSM & JIRA Service Desk
ITSM & JIRA Service Desk
 
Ambientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKE
 
Liferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaLiferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassa
 
Digitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluDigitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoilu
 
Liferay Audience Targeting
Liferay Audience TargetingLiferay Audience Targeting
Liferay Audience Targeting
 
Case Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentCase Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deployment
 
JIRA Portfolio
JIRA PortfolioJIRA Portfolio
JIRA Portfolio
 
Case Containerships JIRA Service Desk
Case Containerships JIRA Service DeskCase Containerships JIRA Service Desk
Case Containerships JIRA Service Desk
 
Jira 7
Jira 7Jira 7
Jira 7
 
Liferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöLiferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriö
 
Liferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluLiferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnittelu
 
Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX
 
Liferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenLiferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der Steen
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Liferay hardening principles

  • 1. Hardening Principles Copyright © 2000-2013 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose without express written consent of Liferay, Inc.
  • 2.
  • 3. Time for DEMO! Let's d0 s0me hacking Time for DEMO! Let's d0 s0me hacking
  • 4. WHAT IS HARDENING? “Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.” - http://www.techopedia.com/definition/24833/hardening “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” - http://en.wikipedia.org/wiki/Hardening_(computing)
  • 6. NETWORK Usually Liferay Portal's operating environment has been spread out to multiple servers.
  • 7. NETWORK - HARDENING Think which connections are needed? Allow Liferay server should access only servers that is required. Database, Solr, Disk- share, Web-services, staging live server.. Liferay Portal should not have direct Internet connection Connections through HTTP server Connecting to internet through Proxy Image: wikipedia.org
  • 8. SERVER Liferay running at server Image: wikipedia.org
  • 9. SERVER - HARDENING Server administration (Unix, Linux) No root level access, only SUDO Administrators should use own personal user id's to administer Block unnecessary ports with Firewall Disable unwanted services All the applications and services should run with their respective operating system user account. Separate disk spaces for the system, application, data, logs and temp files chroot the Application server installation
  • 11. APPLICATION – LIFERAY #1 Remove demo data! (if exists)
  • 12. APPLICATION – LIFERAY #2 Disable and change default administrative accounts. Change the username / email / password portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test
  • 13. APPLICATION – LIFERAY #3 Keep you Liferay system patched!
  • 14. APPLICATION – LIFERAY #4 Disable create account if registration is not required! portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true
  • 15. APPLICATION – LIFERAY #5 Make sure that password are stored securely! portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better
  • 16. APPLICATION – LIFERAY #6 Design permission scheme for Portal users! NEVER RUN PORTAL USER WITH ADMINISTRATION ROLE
  • 17. APPLICATION – LIFERAY #7 Do not show portlets if user do not have permission! portal.properties ( default value ) layout.show.portlet.access.denied=true portal.properties ( default value ) layout.show.portlet.access.denied=true
  • 18. APPLICATION – LIFERAY #8 Change authentication token / shared secret portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB
  • 19. APPLICATION – LIFERAY #9 Do not change touch p_auth and p_p_auth tokens settings! portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true
  • 20. APPLICATION – LIFERAY #10 Disabling autologin functionality that is not required! portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths= portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths=
  • 21. APPLICATION – LIFERAY #11 HTTP / HTTPS ?
  • 22. APPLICATION – LIFERAY #12 Disable Liferay remote services that are not used! portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false
  • 23. APPLICATION – LIFERAY #13 Disable core-portlets or just functionality that you are not ever going to use! StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet> liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet>
  • 24. APPLICATION – LIFERAY #14 Change Company encryption key size and algorithm portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES
  • 25. APPLICATION – LIFERAY #15 Security Manager - PACL! portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart liferay-plugin-package.properties security-manager-enabled=true # The make work easier liferay-plugin-package.properties security-manager-enabled=true # The make work easier
  • 26. APPLICATION – LIFERAY #16 Antisamy Plugin
  • 27. APPLICATION – LIFERAY #17 Audit Plugin!
  • 28. APPLICATION – LIFERAY #18 Log rotation!
  • 29. PLUGIN DEVELOPMENT OWASP 10 Use frameworks that helps you to avoid XSS. Use Liferay API's to escape where ever necessary HTMLUtil.escape (..) etc. Liferay tags, make sure that escapeModel=true Use Lifeay permission framework ServiceBuilder: Remember to write permission checks in the remote services Support Security Manager / PACL!
  • 30. RECOVERING! Make disaster recovery plan Step by step instructions to rebuild new system How to buildup system again from backups? How long time this will take? Test the plan!
  • 31. WHAT ELSE? Liferay portal is only one component of your Liferay installation. Give a hardening though also to: Http server Apache: https://www.google.fi/search?q=hardening+apache2 Application server Tomcat: https://www.owasp.org/index.php/Securing_tomcat Database MySql: https://www.google.fi/search?q=hardening+mysql Other services