Web Application Security (was Re: universe demotion: Moodle)
sh at sourcecode.de
Wed Jan 27 09:51:58 GMT 2010
Good Morning Kees and all :)
On Tue, 26 Jan 2010 11:12:50 -0800
Kees Cook <kees at ubuntu.com> wrote:
> Hi Stephan,
> On Tue, Jan 26, 2010 at 07:30:50PM +0100, Stephan Hermann wrote:
> > Is there any effort (despite this mail) to establish a working
> > group to provide a more stable and secure platform of "Ubuntu" for
> > Web Applications?
> Not that I'm aware of; sounds like a great idea.
I thought about that for a long time now, because seeing the situation
of Drupal or Wordpress (forget about typo3 or other webapps here) in
Debian/Ubuntu that not so many people focussing on getting security
updates for those popular webapps. mostly it's a drive by security
patch when people are interested in special situations.
I think we need here a better webapp infrastructure, if we want to push
it into the main pocket.
> > Just read this mail as a start for a discussion to make Ubuntu OS as
> > the No. 1 Platform for Wordpress or Drupal or Typo3 :)
> I'm seriously considering not allowing any web application into main
> without a functional AppArmor profile. This is especially true for
> anything written in PHP as authors frequently do not follow safe
> input, output, database, or subshell filtering practices, even though
> functions exist to handle it safely.
Is there any good howto/tutorial how to secure a webapp with db access
etc. with AppArmor?
Btw, I'm not proposing webapps to go into main, but that we have a good
infrastructure to use webapps not from upstream directly but from
Ubuntu/Debian archives (which makes the sysadmin life much easier ;))
> I like Drupal because they try to force module authors into only using
> Drupal interfaces, rather than just arbitrary PHP functions to
> interact with the input, output, and database. And, Drupal actually
> has a good track-record. Their security patches are usually clean
> and easy to find. That said, module authors are still getting into
> trouble anyway.
Correct. But that's true for any module/plugin based webapp afaik.
> The security history of extensions with CVEs for any of
> Wordpress(49), Drupal(179), or Typo3(150) is very bad. :(
| Stephan '\sh' Hermann | OSS Dev / SysAdmin |
| JID: sh at linux-server.org | http://www.sourcecode.de/ |
| GPG ID: 0xC098EFA8 | http://leonov.tv/ |
| FP: 3D8B 5138 0852 DA7A B83F DCCB C189 E733 C098 EFA8 |
More information about the ubuntu-devel