it's a jungle out there: the security state of cms platforms
TRANSCRIPT
SESSION ID
Its a Jungle Out There The Security State of CMS Platforms
STU-W03A
Maty Siman Founder amp CTO CISSP
Checkmarx
checkmarx
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-
Thank you Maty Siman Founder amp CTO at Checkmarx
- Its a Jungle Out There The Security State of CMS Platforms
- CMS
- Infographics(httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
- Drupal Architecture
- CMS Plugins
- Significant Exposure
- Significant Exposure
- Slide Number 8
- Some Stats
- Our report
- Slide Number 11
- Slide Number 12
- SlimStat SQLi
- report (Jan 8 2014)
- Anatomy of an attack- Widespread
- Anatomy of an attack- Targeted
- What should I do
- Thank youMaty SimanFounder amp CTO at Checkmarx
-