DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


My Role(s) in DotNetNuke

This year I've been asked to take on the roles of Core Team Trustee / Security Manager. I'll not discuss the Trustee role too much as this details them well, but I'd like to chat about the Security Manager role a little.

The security manager role formalises what I've been doing in an informal fashion over the past few years. Some of my key responsibilities include :

  • Regularly review the code for any potential issues introduced, or any that surface due to new/popular attack vectors.
  • Act as 'point-man' for security related issues i.e.any mails directed to [email protected]. The emails we receive typically fall into a few categories
    • Reports of suspected hacks - from time to time people email in when their site has been hacked to see if the problem was dotnetnuke related. Typically I examine the exploit payload/vandalised pages, site contents and IIS logs and see if the issue was in the core or other 3rd party modules (note: almost without exception the hacks are not dotnetnuke related, typically they are server related usually due to missing windows patches)
    • Validate vulnerability assemements/penetration reports - sometimes we receive these when a site owner employs a 3rd party to assess their site. I read these, and validate whether the issues are genuine, if they have mitigating factors, and whether they can be fixed. In some cases genunine issues do turn up, at which point we fix the issue and release a bulletin as usual.
    • Users wanting answers to security related questions that they/clients require.
  • Add to and maintain our security documentation (latest versions are available here)
  • Perform security audits of any projects added to the project tracker. This has worked well, with a number of issues being caught before release already.
  • Plan out security related enhancements. This year I'd like to look at a few areas including :
    • adding page level SSL support
    • enhancing security options in the core
    • breaking out our InputFilters into a provider, so that admins can plug in updates/alternatives easily (diversity is always a plus in the security world)
    • now we've moved to a pure asp.net 2.0 codebase, theres a number of 2.0 specific enhancements that will be added in the next releases.
    • adding an application level filter that can block user access based on selected criteria such as user agent or IP.

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (32)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (40)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (154)
Dave Buckner (2)
David Poindexter (4)
David Rodriguez (3)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (10)
George Alatrash (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (165)
William Severance (5)

Content Layout

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out