I recently completed a Master degree in Information Security at Royal Holloway, University of London. My dissertation was on the importance of responsible disclosure of vulnerabilites, so I’m going to start with a few posts on that subject. I’ll hopefully make it a bit less academic than the original report. Given I work in WordPress security, for Defiant (makers of THE BEST WordPress security plugin Wordfence), it made sense to focus on vulnerability disclosures in WordPress components.
The report needed a bit of editing from the original to make it more readable. I have also refrained from mentioning some researchers by name as I don’t want to draw attention to some of the irresponsible disclosures that they have made in the past. The aim of the report is to hopefully illustrate why developers should be given the opportunity to fix vulnerabilities in their products before advertising the fact to the world. It also shows how much damage has been done by providing full details on how to exploit vulnerabilities. using data that was kindly allowed to use by my Defiant Inc.
Any comments welcome on Twitter – @thegdwright.
- Part 1 – Introduction, Methodology and Objectives
- Part 2 – Background, including details of Content Management Systems and WordPress in particular, with an analysis of the architecture of WordPress sites. Also, a discussion of Wordfence, Defiant and the concept of responsible disclosures
- Part 3 – OWASP An analysis of the Open Web Application Security Project Top Ten vulnerabilities
- Part 4 – OWASP vulnerabilities and how they impact on WordPress websites
- Part 5 – A discussion of the WordPress website cleaning process
- Part 6 – Analysis of three different vulnerability disclosures and their impact on the owners and administrators of WordPress sites compromised through those vulnerabilities
- Part 7 – Mitigating attacks – Best practices to help harden and protect WordPress websites
- Part 8 – Conclusions
On to Part 1 – Introduction, Methodology and Objectives