WordPress Security at OWASP Day NZ 2015

OWASP (The Open Web Application Security Project) is a volunteer-run, non-corporate global organization devoted to making the web a safer place. It provides resources for developers and business to help them secure their assets. It’s many notable projects include the Owasp Top Ten: the canonical list of the top ten most likely types of threat to web applications.

The New Zealand chapter organized another fantastic, amusing and enthralling OWASP Day, and event aimed mostly at Developers. But also of interest to anyone with responsibility for managing (securing) infrastructure.

If that sounds a little dry, you should have seen the metal-as t-shirts worn by the Insomnia crew.

Observations and Thoughts

Pedro Worcel’s presentation ‘CMS Hell’ made an interesting contrast with Nick von Dadelszen’s presentation.

Pedro discussed his own testing of NZ internet for CMS vulnerabilities. Pedro introduced droopscan, a vulnerability scanner for CMS’s. It looks like a really useful tool, and I’ll definitely be experimenting with it.

Nicks talk involved discussion of Section 252 of the Crimes Act, describing penalties for “accessing computer systems without authorisation”. Nicks was focussed on “passive” scanning for vulnerabilities, thus using techniques that can’t be described as possible violations of the Section 252.

One of my takeaways from these two presentations is that a lot of security research that I and others would consider ethically legitimate could be interpreted as violations of the Crimes Act. Even it the resulting research is capable of making the web safer.

The content of Nicks talk can be attained here. (warning: pdf)

Defending WordPress

Adam Bell from Lateral Security presented a case study that provided a cautionary tale about a failure of Defense In Depth. A notorious and very young system cracker had successfully attacked a site managed by the presenter. Adam introduced the log analyser Splunk and described his forensic strategy.

My takeway was that the weakest link will render the entire chain useless. Something anyone in who works around security already knows. But this can be sobering when we consider the possible effect on business. When customers pay for “security”, they tend not to understand that “security” is a thing that can’t be bought. It can be only be defended. But the old maxim holds true: any attacker with sufficient time and skill will always win.

WordPress itself takes security very seriously. WordPress.org has maintained a document for developers and admins on Hardening WordPress for many years. This week they released the WordPress Security White Paper which I read as overview of the security environment of the wordpress world. It applies the OWASP Top Ten to the wordpress world and is required reading for anyone serious about defending wordpress. (Or for that matter, attacking it)