© 2005-2011. all rights reserved to seeker security ltd. cms and other giants the nightmare of...

© 2005-2011. All Rights Reserved to Seeker Security Ltd.

CMS and Other Giants The Nightmare of AppSec

Irene AbezgauzProduct Manager



Seeker Security

• Formerly Hacktics® (Acquired by EY)

• New Generation of Application Security Testing (IAST)

• Recognized as Top 10 Most Innovative Companies at RSA® 2010.

• Recognized as “Cool Vendor” by Gartner


Introduction

• Application Security is Important!

• CMS – Mix of 3rd Party and Customizations

• Heavy on Code and Content

• Hard to Secure Properly

• Difficult to Test for Application Security


Agenda

• Size Matters… If you need to Secure it !

• Somebody Else Did It ! 3rd Party

Platforms

• My CMS has Wings! So does Everybody

Else’s..

• Help!!! What can You do??


Size Matters…If you need to secure it!


Size Matters

• Large amount of pages (thousands and much

more …)

• Most are static content pages – dynamically

generated HTMLs, Some aren’t …

• Dynamic and static content mixed


Size Matters


Size Matters

http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=vodafone&start=10&perpage=10&area=all

http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=related%3A%2Fcontent%2Findex%2Fabout%2Fabout_us%2Fmoney_transfer%2Fnews%2Fsafaricom_in_anotherfirstasm-pesaenterssupermarkets


Size Matters

• Often many parameters for each page

• Some are needed for this specific page

• Some are passed as a habit and never actually

used

• For Example – SharePoint Collaboration

Document Center – adding a new announcement


Size Matters • MSO_PageHashCode=11-

1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSet

tings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTA

RGET=ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24toolBarTbl

%24RightRptControls

%24ctl00%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x757C078B42F882EFF34A13131

2AC47E01F6F3BECDB0A95043DCC31D76ACA1B0003D9777998AC8C2F0EF95689400DD7A956720CD542AED1B289A3642

6C21C1351%2C13+Sep+2011+15%3A47%3A26+-0000&_ListSchemaVersion_%7Bccae3ae4-3660-4556-89cb-

aab1d923455d

%7D=1&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChange

s=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_S

tartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=&__EVENTVALIDATION=

%2FwEWDQLT6%2FHJCAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo

%2FWeCQLNrvW5AwLZqOGaAgL76ozMDAKL0KiqAgKz7beUCgLsgqilCQLMsJnGAwKx%2Ffn2Cf6RZ0n2OxRqN

%2FFdf3g9LSzbuHEp&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc

%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m

%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea

%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl

00%24onetidIOFile=a&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea

%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl

00%24TextField=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea

%24ctl00%24ctl02%24ctl00%24ctl05%24ctl00%24owshiddenversion=2&__spDummyText1=&__spDummyText2=that’s over 25 parameters!


Size Matters • MSO_PageHashCode=11-

1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m

%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24toolBarTbltop%24RightRptControls

%24ctl01%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x07A4F374C689F1DD4E6BE6D8A27EA8B027C8AB38D6DAB67211AC1D7DE7E57911FC117CC2E16AC8258C32FFC9A5EEC1656C57D26BB829725A54358A18FF97F96B

%2C13+Sep+2011+15%3A44%3A05+-0000&_ListSchemaVersion_%7Ba3701259-1bf8-4cf3-b120-d584603d38ea

%7D=0&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPar

tEditingName=false&__LASTFOCUS=&__VIEWSTATE=

%2FwEPDwUJNjgxOTI1NzMxD2QWAmYPZBYCZg9kFgICAw9kFgoCAQ9kFgIFJmdfM2MzMzcxNGRfNmU1Ml80NTBmX2I3OTJfMWM1NjcxOWQxZjcwD2QWAmYPZBYQAgMPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVoZAIDD2QWAmYPZBYCAgMPDxYEHg1PbkNsa

WVudENsaWNrBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTseCFRhYkluZGV4AQAAZGQCBQ9kFgJmD2QWAgIDDw8WBh4JQWNjZXNzS2V5BQFDHgRUZXh0BQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1

x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgUPZBYCZg9kFgICAw9kFgJmD2QWCAIBDw8WDh8EBQtBdHRhY2ggRmlsZR4ISW1hZ2VVcmwFHS9fbGF5b3V0cy9pbWFnZXMvYXR0YWNodGIuZ2lmHwMFA

UkeC05hdmlnYXRlVXJsBR1qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKR8BBR5qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKTseEVBlcm1pc3Npb25Db250ZXh0CymKAU1pY3Jvc29mdC5TaGFyZVBvaW50LlV0aWxpdGllcy5QZXJtaXNzaW9uQ29udGV4d

CwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIeC1Blcm1pc3Npb25zKCmAAU1pY3Jvc29mdC5TaGFyZVBvaW50LlNQQmFzZVBlcm1pc3Npb25zLCB

NaWNyb3NvZnQuU2hhcmVQb2ludCwgVmVyc2lvbj0xMi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj03MWU5YmNlMTExZTk0MjljDUVkaXRMaXN0SXRlbXNkZAIDDw8WAh8AaGRkAgUPDxYMHwQFC0RlbGV0ZSBJdGVtHwUFHC9fbGF

5b3V0cy9pbWFnZXMvZGVsaXRlbS5naWYfAwUBWB8HCysEAh8IKCsFD0RlbGV0ZUxpc3RJdGVtcx8BBSByZXR1cm4gRGVsZXRlSXRlbUNvbmZpcm1hdGlvbigpO2RkAgcPDxYCHgxDUkJ1dHRvbk1vZGULKZ4BTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbH

MuQ2xhaW1SZWxlYXNlVGFza0J1dHRvbitDUkJ1dHRvbk1vZGUsIE1pY3Jvc29mdC5TaGFyZVBvaW50LCBWZXJzaW9uPTEyLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTcxZTliY2UxMTFlOTQyOWMCZGQCCQ9kFgJmD2QWAgIBD2QWAm

YPZBYCAgkPFgIeE1ByZXZpb3VzQ29udHJvbE1vZGULKYgBTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuU1BDb250cm9sTW9kZSwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9

rZW49NzFlOWJjZTExMWU5NDI5YwIWAmYPFgIfCgsrBwJkAgsPZBYGZg9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBDw8WCh4JTWF4TGVuZ3RoAv8BHwIBAAAeCENzc0NsYXNzBQdtcy1sb25nHgdUb29sVGlwBQVUaXRsZR

4EXyFTQgICZGQCAQ9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBD2QWAgIBDw8WCh8CAQAAHwwFB21zLWxvbmcfDQUEQm9keR4EUm93cwIPHw4CAhYCHgNkaXIFBG5vbmVkAgIPZBYCAgEPZBYCZg9kFgICCQ8WAh8KC

ysHAhYCZg8WAh8KCysHAhYCZg9kFgICAQ9kFghmDw8WBh8NBQdFeHBpcmVzHwQFCTkvMTQvMjAxMR4MQXV0b1Bvc3RCYWNraBYCHxEFATBkAgEPEA8WAh4LXyFEYXRhQm91bmRnZBAVGAUxMiBBTQQxIEFNBDIgQU0EMyBBTQQ0IEFNBDUgQU0ENiBBTQ

Q3IEFNBDggQU0EOSBBTQUxMCBBTQUxMSBBTQUxMiBQTQQxIFBNBDIgUE0EMyBQTQQ0IFBNBDUgUE0ENiBQTQQ3IFBNBDggUE0EOSBQTQUxMCBQTQUxMSBQTRUYBTEyIEFNBDEgQU0EMiBBTQQzIEFNBDQgQU0ENSBBTQQ2IEFNBDcgQU0EOCBBTQQ5IE

FNBTEwIEFNBTExIEFNBTEyIFBNBDEgUE0EMiBQTQQzIFBNBDQgUE0ENSBQTQQ2IFBNBDcgUE0EOCBQTQQ5IFBNBTEwIFBNBTExIFBNFCsDGGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCAg8QDxYCHxJnZBAVDAIwMAIwNQIxMAIxNQIyMAIyNQIzMAIzN

QI0MAI0NQI1MAI1NRUMAjAwAjA1AjEwAjE1AjIwAjI1AjMwAjM1AjQwAjQ1AjUwAjU1FCsDDGdnZ2dnZ2dnZ2dnZxYBZmQCAw8PFgIeEkVuYWJsZUNsaWVudFNjcmlwdGhkZAIND2QWAmYPZBYEAgMPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAgUPFgIfCgsrBwEWA

mYPFgIfCgsrBwFkAg8PZBYCZg9kFgICAw8WAh8KCysHAhYCZg9kFgICAQ8WAh8EBf4DPFRSIGlkPXtBRkVGNEU4OC1ENjU4LTQ3QUEtQjVBQi05ODlBMDUyNUQzRDN9PjxURCBjbGFzcz0ibXMtdmIiPjxzcGFuIGRpcj0ibHRyIj48YSB0YWJpbmRleD0xIG9uY2xpY2s9Ik

Rpc3BEb2NJdGVtRXgodGhpcywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ1NoYXJlUG9pbnQuT3BlbkRvY3VtZW50cy4zJykiIGhyZWY9Imh0dHA6Ly93aW4taWRzNnBqdGczeWMvRG9jcy9MaXN0cy9Bbm5vdW5jZW1lbnRzL0F0dGFjaG1lbnRzLzM5L2EudHh0

Ij5hLnR4dDwvYT48L3NwYW4%2BJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9URD48VEQgY2xhc3M9Im1zLXByb3BlcnR5c2hlZXQiPjxJTUcgYWx0PSdEZWxldGUnIFNSQz0iL19sYXlvdXRzL2ltYWdlcy9yZWN0LmdpZiI

%2BJm5ic3A7PGEgdGFiaW5kZXg9MSBocmVmPSJqYXZhc2NyaXB0OlJlbW92ZUF0dGFjaG1lbnRGcm9tU2VydmVyKCd7QUZFRjRFODgtRDY1OC00N0FBLUI1QUItOTg5QTA1MjVEM0QzfScsMSkiPkRlbGV0ZTwvYT48L1REPjwvVFI

%2BZAITDxYCHwoLKwcCZAIXD2QWBGYPZBYCAgEPZBYCZg9kFgQCAQ9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAw9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8K

CysHAWQCAQ9kFgQCAQ9kFgJmD2QWAgIDDw8WBB8BBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTsfAgEAAGRkAgMPZBYCZg9kFgICAw8PFgYfAwUBQx8EBQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x

1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgMPZBYEAg0PZBYCZg9kFgYCAQ8WAh8EBSY8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjNweCc

%2BPC9zcGFuPmQCAw8PFgQfBAUHTXkgU2l0ZR8GBTVodHRwOi8vd2luLWlkczZwanRnM3ljOjgwL015U2l0ZS9fbGF5b3V0cy9NeVNpdGUuYXNweGRkAgUPFgIfBAU5PHNwYW4gc3R5bGU9J3BhZGRpbmctbGVmdDo0cHg7cGFkZGluZy1yaWdodDozcHgnPnw8L

3NwYW4%2BZAIPD2QWAmYPZBYCAgMPFgIfBAUBfGQCCQ9kFgICAQ9kFgJmD2QWAgIBDw9kFgIeBWNsYXNzBRhtcy1zYnRhYmxlIG1zLXNidGFibGUtZXhkAgsPZBYCAgMPZBYCZg9kFgQCAg9kFgICAw8WAh8AaGQCAw8PFgIfAwUBL2RkAi8PZBYCAgQPZBYCAgE

PZBYCZg8PFgIfAGhkZBgBBUVjdGwwMCRQbGFjZUhvbGRlclRvcE5hdkJhciRQbGFjZUhvbGRlckhvcml6b250YWxOYXYkVG9wTmF2aWdhdGlvbk1lbnUPD2QFFEhvbWVcRG9jdW1lbnQgQ2VudGVyZGmgC8w1IPklANTRTq6iDjFHnwy4&__EVENTVALIDATION=

%2FwEWDwLyy5zyDAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZuKB7ArusudMFAsze0tYPAsTg25UCAr%2B9mtoLAua14b0IAovagYEIAsOR0e0DAtDfiqYLc2%2BesVFsr0Dn92NbpXGZ53H0Zq0%3D&ctl00%24PlaceHolderSearchArea

%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m

%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=asdfasdf&ctl00%24m

%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=%3Cdiv%3E%3C%2Fdiv%3E&ctl00%24m

%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField_spSave=%3CDIV+class%3DExternalClass10DBD7507AA14EB0A345DB965125EACA%3E%0D%0A%3CDIV%3Easdfasdf

%3C%2FDIV%3E%3C%2FDIV%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl02%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24DateTimeField%24DateTimeFieldDate=9%2F14%2F2011&ctl00%24m

%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl07%24ctl00%24owshiddenversion=1&attachmentsToBeRemovedFromServer=&RectGifUrl=%2F_layouts%2Fimages%2Frect.gif&fileupload0=&__spDummyText1=&__spDummyText2=That’s just a lot!


Size Matters – manual testing…

• Effort Estimation – even if it took only 3 weeks to

build it - it won’t take 3 days to test it ! not

enough time means hard to reach corners aren’t

reached!

• Difficulty to map out the application

• Hard to Separate between infrastructure and

custom code (SharePoint is easy,

MyDownloadedCMS is not)



• Difficulty to map module relationships – it comes

in here and goes out … god knows where!

• Mixed static and dynamic content

• Code often very large, complex or not available

• A lot of different user types, components and

roles



• Think about an application that has 5 user types

(Superadmin, site admin, supervisor, normal

user, read-only report-generation user)

• 25 different components

• Each user can access only part of the

functionality in each component, let’s say 1/3…

• Now imagine the nightmare of authorization

bypassing testing!


Size Matters – blackbox scanning…

• Difficulties to Crawl – a lot of pages to crawl,

forms to submit, different functionality,

JavaScript to parse

• Redundant testing of same code that is activated

from different locations (i.e. – email to a friend

links –

http://www.site.com/somepage.jsp?func=mailToAFriend


Size Matters – blackbox scanning…

• URL Rewriting / dynamically generated HTML–

difficulty to identify parameters

http://www.ynet.co.il/articles/0,7340,L-

4122262,00.html

http://www.amazon.com/Kindle-Wireless-Reading-Display-

Generation/dp/B003FSUDM4/ref=sa_menu_kdp33/183-

9381915-3823550


Size Matters – code analysis…

• Often the code is not available

• Sometimes user code is available but not the rest

• A LOT of code to cover

• Cross-module relations are difficult to map – too

many components to map them all

• Massive component reuse – optimization

challenges


Somebody Else Did It! 3rd party platforms…


Somebody Else Did It…

• Somebody Else Did It – so it’s inherently secure

(Especially if “Somebody” is a big,

established software firm…)

• … Even if it initially wasn’t, then I didn’t update it

for 5 years and also built 1,000,000 lines of

insecure code on top of it as “minor changes”

• Lack of knowledge on customizations or security

mechanisms



• Not using integrated security features – “…

Windows SharePoint Services 3.0 provides 33 pre-

defined permissions that you can use to allow users

to perform specific actions”

• Disabling integrated security features “the XSS

defense was preventing me from using special

characters, so I disabled it for the entire module…”



• Updates and Maintenance

• The (not so) good - Somebody else did it… 5

years ago

• The bad - Somebody else did it… but I didn’t

install the updates

• The ugly - Somebody else did it… and won’t

fix it



• SharePoint File Upload Persistent XSS

• Authentication and the ability to write to the

SharePoint site are required to exploit this scenario.

• Significant workarounds exist that allow SharePoint

server configurations to be isolated from cross

domain exploitation.

• SharePoint administrators can restrict the uploading

of files to SharePoint servers



(Just Released! Found by Seeker™)



SharePoint 2007 Central Administration XSS:

XSS Perform Operations on Behalf of Users, Steal

Information, Take Their Cookies, Corrupt Data…



When placed directly into textbox – encoded on

client side to prevent XSS!

POST /Reports/Pages/Default.aspx HTTP/1.1 ...

ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9

b22_80188ffdbcde$peopleEditor$hiddenSpanData=

<script>alert(“I didn’t do HTML Encoding!")</script>



SharePoint 2007 & 2010 Insecure Redirect

Insecure Redirect Sneakily lead users to a malicious website, there

do bad things to them. Steal their credentials, tell them lies, have

them tell their deepest secrets to www.evil.com!

The Vulnerable Parameter Source, it’s a system wide parameter

used in SharePoint for redirects all over.

Normal Values

Source=/Docs/Announcements/NewForm.aspx

Source=http://mysite/Docs/Announcements/NewForm.aspx



Normal Values anything inside the site!

However, this includes:

Actually, it permits anything starting with

For Example:

Source=localhost/Docs/Announcements.NewItem.aspx

“Localhost” or “127.0.0.1”

Source=Localhost.EvilSite.Com


My CMS has Wings!So Does Everybody Else’s


My CMS has Wings!

• CommunityMS – Widgetization, Add-Ons, etc.

• UGC – User Generated Content – Web2.0

creates many opportunities for security flaws!

• Administration & Backoffice – leaving the admin

interface publicly accessible, not testing the

admin interface as nobody has access to it.


My CMS has Wings!

• Administrative Interfaces? Just Google it!

• SharePoint?

Google for inurl:/docs/lists/announcements

• Wordpress?

Google for inurl:wp-login.php

(remote admin password reset vulnerability, anyone?)

• PeopleSoft?

Google for inurl:maintain_security


My CMS has Wings!

• I took a component, and then my custom code

added write permissions to it. It was never

secure enough for write permissions.

• Adding components provided by dubious

entities… (look what I found on Google! It’s just a

widget… )


My CMS has Wings!

• Fresh from the Oven, released in the past week:

WordPress WP e-Commerce Plugin 'cs1' Parameter SQL Injection

Vulnerability (14-Sep-2011)

WordPress 'comment_post_ID' Parameter SQL Injection


WordPress Easy Comment Uploads Plugin 'upload.php' Arbitrary File

Upload Vulnerability (12-Sep-2011)

WordPress Tune Library Plugin 'letter' Parameter SQL Injection



Help!!!What can You do??


Help!!!

• Provide enough time for thorough security

testing

• Know which components are present

• Buy your platform from a reputable vendor or

test it fully including platform components

• Spend time to configure your security tools

• Prefer security tools that know your specific

platform


Help!!!

• Choose widgets and add-ons from a reputable

vendor, and test them properly anyway

• Take an expert who knows it to configure it and

help you customize it

• Use the built-in security features

• Update and maintain it!

• Secure it like any other development process


Thank You!

© 2005-2011. all rights reserved to seeker security ltd. cms and other giants the nightmare of...

Documents

seeker security

application security

size matters mso

size matters http

gartner slide

size matters large

agenda size matters

new announcement slide