Joomla Security Team Sprint, Cologne, May 2018 I guess we all agree that it’s one of Joomla’s key priorities to offer a software that is as secure as possible, as this plays a crucial role in the user’s experience running Joomla - a hacked user, is a very unhappy user.
Joomla always took security seriously by running a dedicated developer team, the Joomla Security Strike Team (JSST). This team, currently consisting of 14 members, has three main tasks:
- Handle incoming security reports: triage reported issues, develop and test patches, communicate with reporters and other teams
- Improve Joomla’s architectural security by pushing forward new security technologies
- Actively look for issues in the codebase: by doing reviews of already existing or new parts of the code, we try to not only rely on external reports but also take an active role
In May 2018, the team had it’s very first in-person codesprint in Cologne, following the international J&Beyond conference. Besides some implicit team building that just naturally happened while spending time together, we also tackled 3 areas very specifically:
- Prepared statements: Joomla has a rather unlucky track record in terms of SQL injection issues, mainly caused by the fact that the database API did not expose any possibility to use the well established technology of so called “prepared statements”. With Joomla 4 coming closer, we wanted to make sure that prepared statements finally make it into core.
- Content-Security-Policy: the other main issues besides SQLI are the so called Cross-Site-Scripting issues (XSS). These are mainly caused by Joomla’s design, using plain PHP as templating engine and therefore relying on the developer to actively secure each and every user provided input before outputting it in the site’s markup. Content-Security-Policy (CSP) is a