Security

From WikiSym 2008

Jump to: navigation, search

Contents

Wiki Security

We discussed what we mean by wiki security and what we needed of it. A summary of the issues is:

  • access control
  • bugs
  • information security compliance

We also discussed a little on how to test for security issues.

Alex (User:Kensanata) argued against Big Brother solutions and explained his spam fighting strategy: The idea is to always spend less time on it than the spammer. Always. If spammers drag you into an arms race, you just invest the minimal amount of energy to solve the problem. Avoid burnout at all cost.

See also Research Paper Security of Community Developed and 3rd party Wiki Plug-ins.

Access Control

Access control is not considered to be "the wiki way" but it is generally required in corporate environments. Examples of desired access control included:

  • control of who can edit a page separate from who can modify the page (essentially using the wiki for content management).
  • a desire to have workflow/moderation applied to only some users - for example so that some users (external?) can make edits, but those edits are not published until they have been approved.
  • control of who can access the wiki at all (eg corporate single sign-on required, whether on the internal network or the Internet).

Bugs

All software has bugs, and some of the bugs will be "security" bugs or vulnerabilities. Note that certain types of vulnerabilities will undermine access control (see above) and may compromise information (see below).

One question was "how to test for security bugs?". The following two books are quite useful for anyone wanting to do security testing of software (no relationship to authors or publishers; links are not sponsored referrals)

Book: The Art of Software Security Testing

http://www.softwaresecuritytesting.com/

This book is useful for someone used to testing software (eg QA testing) and wishes to extend their range of testing to include testing for security issues. The emphasis is on testing rather than analysing code (see below for that)

Book: The Art of Software Security Assessment

http://taossa.com/

This is a large and reasonably comprehensive text; it is not for the faint-hearted. The text covers in some detail the types of coding errors that result in security vulnerabilities; some of these cases are very esoteric so this is not a book for beginners. However, the approach of the book is targeted at people that write and/or review code; for such people this is a far more comprehensive book than the above.

Compliance

Regulations like HIPPA, PCI, etc require that certain types of information are afforded certain types of protection. Wikis (and in particular application wikis) make it very easy for a user to enter data that is not adequately protected by the wiki. This is likely to require user education about the type of data that they handle, rather than a technological solution.

News
See the photos of WikiSym2008
Take a look at the official photos of WikiSym2008. You have photos of your own? Add yours to the pile!.
Are you in the mosaic?
Show us who you are. Put your photo on the participants mosaic.

  Conference Pocket Guide

Conference Program
2008-08-22
A detailed version of the Conference Program is now almost closed. However, the OpenSpace program is still open, waiting for you to contribute to it, whether before or during the conference. Add your session!!  More...
WikiWalk
join now!
Keynote and Invited speakers
2008-06-15
George P. Landow
Professor of Art and History at Brown University               More...
Stewart Nickolas
IBM Emerging Technologies
Dan Ingalls
Sun Microsystems Laboratories
Local Information
automatically updated
Poster / Badge
FEUP / UPORTO