Web Application Security (was Re: universe demotion: Moodle)
Kees Cook
kees at ubuntu.com
Tue Jan 26 19:12:50 GMT 2010
Hi Stephan,
On Tue, Jan 26, 2010 at 07:30:50PM +0100, Stephan Hermann wrote:
> Is there any effort (despite this mail) to establish a working group to
> provide a more stable and secure platform of "Ubuntu" for
> Web Applications?
Not that I'm aware of; sounds like a great idea.
> Just read this mail as a start for a discussion to make Ubuntu OS as
> the No. 1 Platform for Wordpress or Drupal or Typo3 :)
I'm seriously considering not allowing any web application into main
without a functional AppArmor profile. This is especially true for
anything written in PHP as authors frequently do not follow safe input,
output, database, or subshell filtering practices, even though functions
exist to handle it safely.
I like Drupal because they try to force module authors into only using
Drupal interfaces, rather than just arbitrary PHP functions to interact
with the input, output, and database. And, Drupal actually has a good
track-record. Their security patches are usually clean and easy to find.
That said, module authors are still getting into trouble anyway.
The security history[1] of extensions with CVEs for any of Wordpress(49),
Drupal(179), or Typo3(150) is very bad. :(
-Kees
[1] http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/annotate/head%3A/ignored/not-for-us.txt
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list