January 30th 2019 - It’s freezing cold in Chicago today and according to the news, it’s even colder than on the Mount Everest - so a perfect day to stay inside a warm building, sitting in front of your machine and having a (sorry, bad Everest joke) summit!
The Joomla Security Strike Team (JSST) was invited to send a delegation to the CMS Security Summit, organised by Google and taking place in Chicago. JSST leads David Jardin and Tobias Zulauf took that opportunity and travelled to Illinois to meet security team leads from other CMS, web hosts and of course a bunch of Googlers representing various projects and initiatives from the company.
Having a face-to-face meeting with folks from other fellow CMS (namely WordPress, TYPO3 and Drupal) and other players in our ecosystem (such as Symfony’s Security lead) was an incredibly valuable experience for us. Work in the IT-security sphere is based on “trust” in many different ways, so meeting other security folks, starting personal relations and building exactly that kind of trust will be extremely helpful in the future when it comes to cross-project communication.
Besides these rather “implicit” results, we also identified various concrete issues that affect us all and where cross-project collaboration would be very beneficial:
- Filtering security issues on server side in cooperation with the web hosts
- Building CSP friendly projects to prevent XSS attacks
- Implementing the newest security features built into the browsers like Feature policy to disable specific features in browsers that your site is not using
- Making use of SameSite Cookies
- Starting an initiative on the requirements for a secure auto update mechanism
- Moving forward industry wide standards like PSR-9 (Security Advisories) and PRS-10 (Security Reporting Process)
- Taking a look into the TrustedTypes proposal which would also help to prevent XSS attacks.
Overall it was a great event and a very good starting point to provide better security for all of our users and to have even better cross industry collaboration about securing the web.
We would like to thank Google for the invitation and the perfect organisation as well as the other attendees for such a great summit with lots of great and positive discussions. We are looking forward to more similar events and cross industry collaboration that will be a benefit for all of our users.