This document discusses several Plone packages for checking vulnerabilities and applying security updates, including plone.app.vulnerabilities, plone.vulnerabilitychecks, and plone.hud. It notes that security is important in content management systems and recommends checking for updates daily and applying patches. The packages discussed aim to check for vulnerabilities during startup, buildouts, and tests and provide version information for administrators. Future work includes sprinting on the packages, keeping vulnerability information up-to-date, and raising awareness of Plone security.

1. Security Matters
Alexander Loechel on
plone.app.vulneritilities
plone.vulnerabilitychecks.*
plone.hud
PLONE CONFERENCE
BRISTOL 2014

2. Studies on Security
• Security Study on Content
Management Systems
published by the German
Federal Office for Information
Security May 2013
• Take at least
15 min / day / system
- Look for updates
- Apply Patches

3. „You should proceed under the assumption that
every Drupal 7 website was compromised unless
updated or patched before …
after the announcement.“
Drupal Security Team

4. plone.app.vulnerbilities
http://plone.org/hotfixes

5. plone.hud / plone.app.hud

7. JSON from
plone.org and
pypi.python.org

8. Supply Information
• Check for vulnerabilities on Plone installs:
• plone.vulnerabilitychecks.instance_startup —> disable or warn on startup
• plone.vulnerabilitychecks.buildout —> warn or stop buildout
• plone.vulnerabilitychecks.tests —> For CI Tests
• plone.vulnerabilitycheckes.controlpanel —> Version Information View
• buildout.autoapplyplonehotfixes
• —> github.com/loechel/
• dependencies:
• plone.vulnerabilitychecks.core —> JSON <— plone.app.vulnerabilities

9. Future Work
• Sprinting on that
• Include up-to-date lone.app.vulnerabilities in
plone.org and keep Information up-to-date
• May a PLIP to include those Packages in the
Installers as a out-commented option with
documentation
• Make people more aware of Plone Security