Snakes in a plugin - WordPress plugin security
17
Duncan Stuart @dgmstuart
-
Upload
duncan-stuart -
Category
Internet
-
view
10.262 -
download
6
Transcript of Snakes in a plugin - WordPress plugin security
Duncan Stuart@dgmstuart
@dgmstuart
“You can't defend. You can't prevent. The only thing you can do is detect and respond.”Bruce Schneier
@dgmstuart
WordPress dev for the public sector
Secure hosting
Plugin security reviews
www.dxw.com
@dgmstuart
The internet is a terrifying place
Demo
@dgmstuart
You can’t trust the ‘from’ field
You can’t trust the address bar
The internet is a terrifying place
What did we learn?
@dgmstuart
It’s much, much worse
@dgmstuart
@dgmstuart
@dgmstuart
It’s not unusual...
It’s the most common vulnerability
25% of plugins we review are unsafe
over 25% are conditionally safe
@dgmstuart
“I am regularly asked what the average Internet user can do to ensure his security.
Bruce Schneier
@dgmstuart
“I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'”Bruce Schneier
@dgmstuart
@dgmstuart
What can you do?
1. Update!
2. Pen test!
3. Mongoose!
@dgmstuart
Security alerts for WordPress plugins
www.mongoosewp.com
@dgmstuart @thedxw
www.dxw.com
Thank You
Questions?@dgmstuart
