Google Starts Serious Security Talks With the CMS Community

Last week, Chicago was the coldest place on earth! This was all over the news. The temperatures dropped to -30 degrees Celsius (-22 Fahrenheit) with a  wind chill of -50. I consider myself lucky to have been there to witness this rare polar vortex. However, I was in Chicago for a different event, one that didn’t make the news but was just as exciting — the Google CMS Security Summit.

Close to thirty top security experts from Google, different CMS platforms, and hosting companies came together to discuss how to make the internet a safer place for everyone. I consider myself even luckier to have been a part of this discussion as a representative of SiteGround.

For two days, we talked with the representatives of WordPress, Drupal, Joomla!, PrestaShop, TYPO3, Squarespace, Symfony, Sucuri, Wordfence, and more. It was inspiring to see how organizations that are competitors when it comes to attracting the end user to their platforms, can actually be unified for the higher aim of making the internet safer.

We almost won the HTTPS battle, but the security war is never over

It is no surprise that Google organized the event considering their significant role in web security. An easy example is the positive impact the Let’s Encrypt free SSL initiative, which is heavily supported by Google, had on encryption adoption. HTTPS usage has increased from 35% to over 90% according to Chrome stats:

The efforts of hosting companies like SiteGround that provide Let’s Encrypt SSLs to users also play a big role in the mass adoption of encryption. However, as good as a 90% adoption may seem, the above graph also shows something troubling. It took more than three years to achieve this goal. This is too much time! We, who gathered in Chicago, are on the front line of the security battle. Encryption is great, but it doesn’t solve all the issues. Sites still get hacked. CMS platforms have suffered major security issues in recent years. Third-party plugins and themes are exploited every day. Vulnerabilities aren’t properly disclosed. The list goes on and on.

So, how do we protect as many sites as possible, as fast as possible?

During the event, the security community identified four main areas that need action.

1. Third-Party Components and Integrity Control

As a hosting company, we have seen first-hand that the majority of the security issues are caused by vulnerabilities introduced by add-on plugins, modules, and themes that are not part of the core platform codebase.

In 2018, SiteGround wrote 250 new custom WAF rules addressing these issues. We are aware that not every hosting company has the resources to monitor security bulletins, analyze issues, compare patches, review code, and write WAF rules. The ultimate goal is not to fight similar issues with firewall rules (after all, there are hundreds of thousands of plugins, modules, themes, and extensions for all the CMS platforms out there) but to prevent them from occurring in the first place.

We identified the following areas that need work to better protect websites:

• Better code review procedures for plugins/themes
• Implementation of static code analysis
• Packages signing to improve the authenticity of the CMS/plugins/themes and their integrity
• Security certification programs for extensions developers

2. Vulnerability Disclosures and Rewards

Two main issues were identified.

Although there is some consensus about the best practices for disclosing software vulnerabilities, there are actually no widely-accepted official standards.

Recently, the official working group that creates PHP standards (https://www.php-fig.org) has reopened their work on two documents with recommendations (PSR 9 and PSR 10) that aim to solve this problem. As soon as the final drafts are ready, the community will publish them. We hope that a big percentage of CMS platforms will adopt these standards. This way, the process by which issues are reported and fixed will be improved as well how the public is informed.

The second problem is that most of the platforms out there currently do not have bounty programs to reward people for responsibly disclosing security vulnerabilities. This has to change. However, since many of the open-source CMS platforms operate as non-profit organizations, this will be hard to achieve.

3. Automatic Updates

When a security problem is found, it is essential to fix the code ASAP. However, not everyone has the same sense of urgency. This is an even bigger problem for the most popular CMS platforms like WordPress, Drupal, Joomla!, etc. with millions of sites on the internet?

The answer is automatic updates. Right now, WordPress is the only CMS that offers automatic updates. Here at SiteGround, we believe that the ultimate goal is to have every CMS and all its plugins and themes are automatically updated with each new release. Our experience with routine massive automatic updates for our WordPress and Joomla! users have shown that when automatic updates are enabled by default, the number of hacked sites is drastically reduced. The Google Chrome browser is also automatically updated. It is only a matter of time before this too becomes a major selling point for CMS platforms.

An idea was born in Chicago. The group will work on developing a standard for automatic updates. This way, developers of certain platforms will be able to come up with their own implementation, while remaining compliant with the standard.

4. Sharing Knowledge and Tools

Security is a process. It’s not a goal you reach once and then forget about it. Every process is improved by using the right tools for the job. Right now, shared tools are not something you see often. When it comes to security, companies use proprietary tools, outsource certain tasks to third-party companies, and do not share information with other organizations. To protect the web at scale, we need to work together. We need to share information and come up with open source tools that everyone can use and can contribute to.

There are two good examples of this coming from the WordPress and Joomla! communities. The Joomla! security team sends mod_security WAF rules to hosting companies when a new security release is available. Those rules are tested by the Joomla! security team and they can be instantly applied on servers to protect site owners. This way the site owners have a safe window to update their sites. The WordPress security team also closely works with hosts when security releases are available. They do a great job keeping 1/3 of the internet safe and updated. WordPress hosts also frequently share WAF rules to protect users.

The need for tools is obvious. We will see more and more tools emerging within the next couple of years.

I am really glad I went to Chicago last week. The event was just the beginning of something amazing.  After only a week, there is a shared 15-pages document full of ideas that are being actively discussed. A working group will soon be formed and action items are being set as I write this blog post. I can’t share any more details, but I can say over the next few months, the security community will be very busy.

When I was in Chicago I saw the following on TV:

In extreme temperatures, it doesn’t take long to get hurt. This picture perfectly illustrates what happens to a website when it is unprotected for even very a short period of time. It will be hacked. SiteGround is committed to protecting all sites on our servers. For us, this is a basic right for every website owner. I am excited to be part of the community  making this happen.