This year, the event took place in Munich, Germany, and Oliver Hader, Benni Mack, and Torben Hansen from the Security Team represented TYPO3.
After a casual get-together with all participants the evening before the event, we spent two full days at Google Munich and the Information Security Hub (ISH) to learn about new and upcoming developments in web security.
Security Technology
There were many great presentations and lighting talks on web and security technologies, end-user security and data privacy, reducing injection potential, and isolation techniques for distributed requests.
- Strict Content Security Policy, Trusted Types and Scripting Policy to mitigate injections such as XSS.
- Cross-Origin Resource Policy (CORP), Embedder Policy, and Securer Contexts to enhance isolation and mitigate side-channel attacks.
- Concepts on tools and frameworks for securing the CMS ecosystem.
- OpenSK, an open-source security key to be used for multi-factor authentication.
- SameSite Cookie enforcement and browser Privacy Sandbox enhancing cross-site privacy.
- Potential of PSR-9 and PSR-10 PHP Standards Recommendations.
- Virus Total API to cluster and classify potential malware on the web.
- Web Almanac 2019 Security aspects.
Breakout Sessions
Breakout sessions allowed participants to collaborate in unconference discussions on security-related topics:
- Rapid detection and fast response/prevention
- Security tools and APIs
- Automatic updates
- Standardized distribution of security bulletins
- Security release window coordination among projects
- Two-factor authentication as default for CMS developers and admins
- Better static code analysis tools that enable prevention
- Security signals / score in Chrome Dev Tools
- Funding security Improvements in CMSs
Great Initiative—Thanks Google!
For TYPO3, the event was a great success with much valuable input and fruitful discussions. It also brought attention to several topics we will work on to improve the security of TYPO3 and its ecosystem, such as enforcing SameSite cookies, extending static code analysis coverage and refining our process documentation.
We would like to say thanks to Google for organizing the event and to all participants for being active and passionate about improving security.
Further Reading
- Strict CSP (on csp.withgoogle.com)
- Trusted Types (on research.google)
- Scripting Policy (on mikewest.github.io)
- CORP (on fetch.spec.whatwg.org)
- Securer Contexts (on github.com/mikewest)
- OpenSK (on github.com/google)
- SameSite cookie enforcement (on blog.chromium.org)
- Privacy Sandbox (chromium.org)
- PSR-9/PSR-10 (on php-fig.org)
- Virus Total API (on developers.virustotal.com)
- Web Almanac 2019 Security (on almanac.httparchive.org)
Proofreading: Mathias Bolt Lesniak