Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


My Role(s) in DotNetNuke

This year I've been asked to take on the roles of Core Team Trustee / Security Manager. I'll not discuss the Trustee role too much as this details them well, but I'd like to chat about the Security Manager role a little.

The security manager role formalises what I've been doing in an informal fashion over the past few years. Some of my key responsibilities include :

  • Regularly review the code for any potential issues introduced, or any that surface due to new/popular attack vectors.
  • Act as 'point-man' for security related issues i.e.any mails directed to security@dotnetnuke.com. The emails we receive typically fall into a few categories
    • Reports of suspected hacks - from time to time people email in when their site has been hacked to see if the problem was dotnetnuke related. Typically I examine the exploit payload/vandalised pages, site contents and IIS logs and see if the issue was in the core or other 3rd party modules (note: almost without exception the hacks are not dotnetnuke related, typically they are server related usually due to missing windows patches)
    • Validate vulnerability assemements/penetration reports - sometimes we receive these when a site owner employs a 3rd party to assess their site. I read these, and validate whether the issues are genuine, if they have mitigating factors, and whether they can be fixed. In some cases genunine issues do turn up, at which point we fix the issue and release a bulletin as usual.
    • Users wanting answers to security related questions that they/clients require.
  • Add to and maintain our security documentation (latest versions are available here)
  • Perform security audits of any projects added to the project tracker. This has worked well, with a number of issues being caught before release already.
  • Plan out security related enhancements. This year I'd like to look at a few areas including :
    • adding page level SSL support
    • enhancing security options in the core
    • breaking out our InputFilters into a provider, so that admins can plug in updates/alternatives easily (diversity is always a plus in the security world)
    • now we've moved to a pure asp.net 2.0 codebase, theres a number of 2.0 specific enhancements that will be added in the next releases.
    • adding an application level filter that can block user access based on selected criteria such as user agent or IP.

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out