This is the start of a new year so I decided to kick it off with an interview in the JoeJoomla Sound Off Blog. Throughout the year I will be interviewing some Joomla! personalities. We'll discover some of the who's who in the Joomla! world and gain some insight from their point of view. Where to start? How about web security?
Who better to talk about website security than Jason Kendall? Jason is known in the Joomla! forums as coolacid. I've met him at official Joomla! events over the past couple of years. Jason's an expert in Joomla! and website security issues. Here's the interview...
Not really - You can only mitigate as much as possible - At any given point, you may be safe, for that slice of time, until the next vulnerability that may effect you comes along. Even a completly static HTML website relies on some sort of web server, which relies on an operating system, which relies on a kernel, etc. You can even go as far back as they rely on an ISP and routers. The only way to have a 100% safe site is to cut the cables.
Is open source in general a good way to go for a website or are proprietary code sites safer?
There is good things to both sides. OpenSource may have a number of eyes on it, the more popular it is, the more likely things are to get noticed, both by the good guys, and the bad guys. Propretary software usually have coding standards the coders must accept, and larger ones have unit tests and dynamic/static code scanners done against them. The best thing is to look at populartity, and how they handle exploit notifications. Secondly, are they part of any organization that assists with vulnerability notifications, ie: First.org, oCERT etc.
What are the biggest mistakes that Joomla! developers make that cause their sites to be vulnerable to hackers?
Installing more then they need and not doing checks on their hosting providers. Only install what you need on your site, and keep track of it. Go back to those developers and make sure that there isn't any updates. It is your responsibility to ensure your up to date and have no known vulnerabilities. You also need to check on your host. Are clients always hacked? Has their server ever been hacked? Choose a reputable source for your dealings. Remember, if its too good to be true. It probably is.
What are some of the best things that a Joomla! site developer can do to foil attacks to their website?
Don't set it and forget it. Keep up to date on everything about your side, not just J!, or the extensions, but also look at anything else you use.
When were you the most active in the Joomla! project?
I started when 1.5 was just getting off the ground. Did a lot of work around the Authentication and Date systems. I also represented J! at local Opensource events in Toronto, Ontario, and at some open source conferences in the US.
How are you involved now?
Currently an active member in the Security Team - I mostly verify vulnerabilities and make recommendations on how things should be handled. I am also a contact for the oCERT team an open source response team.
What is your main business activity nowadays?
I have a full time job, as well as my own work supporting friends and family. At some point in the future more consulting work would be nice.
What is your typical day like?
Busy. First thing, my wife hands me my first coffee of the day, then its off to my full time job - there I handle Computer Incident Response issues and vulnerability management, I duck out once in a while to check on the JSST team and my personal emails. After the drive home, its a few more hours at the computer either working on projects, working on requests, If I get down time, it's spend time with the family and/or play world of warcraft.
What is your proudest accomplishment?
My Family. No Really, It is.
What is your biggest passion outside of Joomla?
Information Security, I live, breath and eat the stuff. I can see me doing more and more of this (if I don't do enough already). Like I said, someday consulting about security and opensource will be my passion.
What frustrates you the most about Joomla?
It's best thing and the worst thing, 3rd party developers. :) They are awesome at seeing things that need to be done and have great creativity - but some of them don't really have a coding background. That's the biggest problem with a lot of the vulnerabilities I see in 3rd party extensions - simple things that most people wouldn't even look for. Some of that is Joomla!'s fault, maybe, in the fact we need better coaching on secure development. But developers shouldn't look to simple how-to sites for programming either, read the APIs we've spent a lot of time making things easy, and a quick read though secure coding practices would be a helping hand too.