Alan Hoey - Security for product developers

published Oct 11, 2012

Talk during the Plone Conference 2012.

Alan Hoey talks about security for product developers during the Plone conference 2012.

I'm Alan Hoey. I work for the Code Distillery. I am on the Plone Security team. I will talk about security in your add-on. The Plone core is reasonably secure, with a good track record. Add-ons are usually not audited though. A vast majority of developers probably try to the right thing, but some things may slip through the tracks. This talk is about what happens when you do not pay attention. If you have not thought about it, you may be vulnerable.

What are common vulnerabilities? It can be simple things like ratings on products or pages that get wrong, like getting an average score of 999 out of 5. There can be denial of service attacks. Cross Site Scripting and Cross Site Request Forgery (CSRF). Boxes can be taken over if you don't pay attention.

Why should you care? You don't want those calls from a customer whose server is hacked.

Object publishing in Zope. Zope will publish anything as long as it does not start with an underscore. So use security declarations. If some method is not meant to be published, you can decide not to add a doc string, which will work until someone innocently decides to add a doc string anyway.

Try to look at your code with the mind of an attacker.

Traversal. Look out with importing os as an attacker may be able to traverse to it. Do not use unrestrictedTraverse unless you know what you are doing.

All classes should use ClassSecurityInfo: declarePrivate, declarePublic, declareProtected. There is also ClassSecurityInformation, which is by default closed, but does not work. We should fix it. Monkey patches need security declarations, just like everything else does.

ZMI properties are readable when you can view the object. So not a good place to put API keys. The registry is a nice place: you cannot read it from the web.

The security on BrowserView is very good. If you override the __init__ method and set the context and request, or anything else, you have thrown that security away.

Use plone.protect on all forms that need CSRF protection. Also the postonly attribute.

Acquisition is scary from a security view point. Be aware that a script can be called on any context. It is better to use container instead of context.

Do not give Restricted Python access to untrusted users.

Do not use allow_module. Use ModuleSecurityInfo instead.

Zope Page Templates. Do not use structure if you do not need it.

Deployment. Please do not miss hotfixes. Do not think that you can hide acl_users in Apache and think you are safe.