SlideShare a Scribd company logo

TTL Alfresco Product Security and Best Practices 2017

Download as PPTX, PDF
Toni de la Fuente
Toni de la Fuente

Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.

Technology
1 of 34
Best Practices around Alfresco Security Phil Meadows & Toni de la Fuente 11th October 2017 - Tech Talk Live #110
Topics ● Who We Are ● Responsible Disclosure ● Product Security Processes and Policies ● Security Deployment Best Practices ● Hardening ● Backup and Disaster Recovery
Phil Meadows - Security Director • 20 years experience in the field of software engineering and operations in a mixture of technical and leadership roles. • Joined Alfresco in 2014 working in the DevOps team. • Security Director since July 2017
Toni de la Fuente - Lead Security Operations - Senior Cloud Security Architect • Old timer Alfrescan • Senior Solutions Engineer -> Principal Solutions Engineer -> Senior Cloud Security Architect -> Lead Security Operations • Alfresco Security Best Practices Guide • Alfresco Backup and Disaster Recovery Whitepaper • Alfresco BART • Prowler • phpRADmin • Blyx.com • …
Responsible Disclosure • What is it? • Why we need one? • Status Vulnerability Reporting
Product Security 1 People Security aware Engineers 2 Tools Automated and Manual Security Analysis 3 Processes and Policies Response, Classification, Standards
People • Secure Coding Workshop. – Hosted by 3rd Party – 4 day course – Covers basics of Web Application Security – OWASP Top 10 (2017 edition on its way!) • Regular Updates – Brown Bag Sessions – Lightning talks in Engineering meetups • Virtual Secure Coding Expert Team • Architectural Decision Records
Product Development - Security Touchpoints Architecture Engineers IDE Source Code Repository Build Pipeline Release Process
Architecture • Relies on People • Security Concerns considered up front • Architectural Decision Records • Secure Coding Experts
Engineers IDE • No company wide agreed tools/solutions yet. • Sooner found, sooner fixed. • Good training tool.
Source Code Repository • Pull Request Integration. • No solution found yet, investigating LGTM https://lgtm.com/ • Free for open source projects. – GitHub integration – Currently no GitLab integration • Security scan at pull request • Historical security metrics
Build Pipeline • SonarQube https://www.sonarqube.org/ • Triggered by Maven goal • Code Quality good for Security • OWASP plugin - Security Dashboard
Release Process • VeraCode https://www.veracode.com/ – Scan Binaries – Extensive Reports – Heavyweight • Third Party Penetration Testing – Manual and Automated security scans – Against a cloud hosted running environment
Security Issue Classification • CVSS - Common Vulnerability Scoring System – https://www.first.org/cvss/ – https://www.first.org/cvss/calculator/3.0 • Gives a numeric score that we convert to a security level against which the engineering teams have agreed response targets. • Three security levels –High - Patch or hotfix –Medium - Hotfix or service pack depending on support level –Low - Included in next scheduled release
Security Deployment Best Practices
What to do? • Keep security triad in mind: – Confidentiality – Integrity – Availability
Solution also matters • Single tier or multi-tier • On-prem or in a cloud provider?
Alfresco CS Security Checklist
Hardening
• Network • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS • RedHat, Ubuntu, Suse • Solaris • Windows Server • File permissions • alfresco- global.properties • dir_root/contentstore • dir_root/solr • dir_root/lucene- indexes • Minimum privileges • Port redirect Network and Operating System
Protocol/Service Port TCP/UDP IN/OUT Active Comments HTTP 8080 TCP IN Yes WebDav included FTP 21 TCP IN Yes Passive mode SMTP 25 TCP IN No CIFS 137,138 UDP IN Yes CIFS 139,445 TCP IN Yes IMAP 143 or 993 TCP IN No SharePoint Protocol 7070 TCP IN Yes Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the firewall Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the firewall SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in browser. Otherwise take it in to account in case of using a dedicated Index Server, Alfresco repository server must have access to this port IN and OUT NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS RMI 50500- 50507 TCP IN Yes Used for JMX management. Unless is necessary, do not open this port at the firewall Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2 JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2 JGroups 7801- 7802 TCP IN No Traffic Ehcache RMI between cluster nodes before 4.2. OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the firewall Firewall: Inbound ports
Protocol/Service Port TCP/UDP IN/OUT Active Comments SMTP 25 TCP OUT No If you want Alfresco to send notifications, invitations, tasks, etc. Open this port from Alfresco to your corporate MTA DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB DB – MySQL 3306 TCP OUT Yes* It depends on the DB DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB DB – Oracle 1521 TCP OUT Yes* It depends on the DB DB – DB2 50000 TCP OUT Yes* It depends on the DB LDAP or AD 396 TCP OUT No If needed for authentication and synchronization LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization docs.google.com 443 TCP OUT No JGroups 7800- 7802 TCP OUT No If clustered before 4.2, only between nodes. Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2, only between nodes. Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as contentstore Remote storage CIFS 137,138 139,145 UDP TCP OUT No If a remote CIFS drive is used as contentstore Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3 is used as contentstore Alfresco Transformation Server 80,443 or 8080,844 3 TCP OUT No In case a remote Alfresco Transformation Server is used Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System Transfer Receiver Alfresco Remote Server 8080 or 8443 TCP OUT No In case of using Alfresco Replication Service between Alfresco servers Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required Third Party SSO 443 TCP OUT No Third party SSO services DNS 53 UDP OUT Yes Name resolution service Firewall: Outbound ports
Alfresco Implementation Best Practices
• Stay current • Service Packs, HF • Never run as root • Switch to SSL • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS • FTPs • LDAPS connection • DB Connection • Permissions inheritance • Custom roles • Review your logs • Change JMX default credentials • Change keystore password Best Practices 1
• Audit • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools • Get to know connected users besides other tools • Get to know how to reset admin password • Control ticket session duration • Disable unneeded services • Disable guest user Best Practices 2
• Encrypt configuration properties if needed • Mitigating brute force attack on user passwords • Use bcrypt • Third party auth system / Federated Best Practices 3
• Cross-Site Request Fogery (CSRF) filters • Clickjacking mitigation • Iframes and phising attack mitigation • Share HTML processing black/white list • Site creation control • Filter document actions by user or role • Filter workflow by user or role • Change default Share session timeout Alfresco Share Security
Backup and Disaster Recovery
Backup and Disaster Recovery • Backup, Archiving, Disaster Recovery • Why? • Business impact • RPO (time between backups) and RTO (time taken to restore)
Backup Procedure and Methods + Install + Config + Custom • What to backup? • Static / Dynamic • Order • Types • Cold • Warm • Hot 1. Index (index+cache) 3. Content Store 2. DB What about Zero-Downtime?
Restore Procedure 1. Installation 2. Configuration 3. Customization 4. DB 5. Content Store 6. Indexes
Best Practices: content deletion • Node deletion lifecycle • Why is important?
• Delete content when it is deleted • Trashcan cleaner • Records Management • Wipe contentMore about node deletion
Thanks! Toni de la Fuente @ToniBlyx Phil Meadows @meadowsp99

Recommended

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceToni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoToni de la Fuente
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 

Recommended

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceToni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoToni de la Fuente
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 
Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaToni de la Fuente
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...Symphony Software Foundation
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by PerforcePerforce
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaRedis Labs
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Andrejs Prokopjevs
 
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More! Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More! Redis Labs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksJoseph Holbrook, Chief Learning Officer (CLO)
 

More Related Content

What's hot

Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaToni de la Fuente
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...Symphony Software Foundation
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by PerforcePerforce
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaRedis Labs
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Andrejs Prokopjevs
 
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More! Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More! Redis Labs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

What's hot (20)

Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFS
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)Running Oracle EBS in the cloud (DOAG TECH17 edition)
Running Oracle EBS in the cloud (DOAG TECH17 edition)
 
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More! Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
Redis in a Multi Tenant Environment–High Availability, Monitoring & Much More!
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 

Similar to TTL Alfresco Product Security and Best Practices 2017

Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
Continuous Monitoring Deck
Continuous Monitoring DeckContinuous Monitoring Deck
Continuous Monitoring DeckBrian Fennimore
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionSplunk
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
LAB - Perforce Large Scale & Multi-Site Implementations
LAB - Perforce Large Scale & Multi-Site ImplementationsLAB - Perforce Large Scale & Multi-Site Implementations
LAB - Perforce Large Scale & Multi-Site ImplementationsPerforce
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakChankey Pathak
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2Bill Liu
 
Perforce on Tour 2015 - Securing the Helix Platform at Citrix
Perforce on Tour 2015 - Securing the Helix Platform at CitrixPerforce on Tour 2015 - Securing the Helix Platform at Citrix
Perforce on Tour 2015 - Securing the Helix Platform at CitrixPerforce
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
KINGSLEY_OWUSU_Resume_IT
KINGSLEY_OWUSU_Resume_ITKINGSLEY_OWUSU_Resume_IT
KINGSLEY_OWUSU_Resume_ITKingsley King
 

Similar to TTL Alfresco Product Security and Best Practices 2017 (20)

Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at Citrix
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
Continuous Monitoring Deck
Continuous Monitoring DeckContinuous Monitoring Deck
Continuous Monitoring Deck
 
Palo Alto Networks Sponsor Session
Palo Alto Networks Sponsor SessionPalo Alto Networks Sponsor Session
Palo Alto Networks Sponsor Session
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
LAB - Perforce Large Scale & Multi-Site Implementations
LAB - Perforce Large Scale & Multi-Site ImplementationsLAB - Perforce Large Scale & Multi-Site Implementations
LAB - Perforce Large Scale & Multi-Site Implementations
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Cl116
Cl116Cl116
Cl116
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey Pathak
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2
 
Perforce on Tour 2015 - Securing the Helix Platform at Citrix
Perforce on Tour 2015 - Securing the Helix Platform at CitrixPerforce on Tour 2015 - Securing the Helix Platform at Citrix
Perforce on Tour 2015 - Securing the Helix Platform at Citrix
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
KINGSLEY_OWUSU_Resume_IT
KINGSLEY_OWUSU_Resume_ITKINGSLEY_OWUSU_Resume_IT
KINGSLEY_OWUSU_Resume_IT
 

More from Toni de la Fuente

Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoToni de la Fuente
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosToni de la Fuente
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Toni de la Fuente
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Toni de la Fuente
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Toni de la Fuente
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoToni de la Fuente
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolToni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityToni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiToni de la Fuente
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSToni de la Fuente
 
Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2Toni de la Fuente
 
Alfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSCAlfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSCToni de la Fuente
 
Alfresco Day Madrid - John Newton - Keynote
Alfresco Day Madrid - John Newton - KeynoteAlfresco Day Madrid - John Newton - Keynote
Alfresco Day Madrid - John Newton - KeynoteToni de la Fuente
 
Alfresco Day Madrid - Cliente - Alliaria
Alfresco Day Madrid - Cliente - AlliariaAlfresco Day Madrid - Cliente - Alliaria
Alfresco Day Madrid - Cliente - AlliariaToni de la Fuente
 
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...Toni de la Fuente
 

More from Toni de la Fuente (20)

Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicos
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con Alfresco
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en español
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - Community
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - Activiti
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASS
 
Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2
 
Alfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSCAlfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSC
 
Alfresco Day Madrid - John Newton - Keynote
Alfresco Day Madrid - John Newton - KeynoteAlfresco Day Madrid - John Newton - Keynote
Alfresco Day Madrid - John Newton - Keynote
 
Alfresco Day Madrid - Cliente - Alliaria
Alfresco Day Madrid - Cliente - AlliariaAlfresco Day Madrid - Cliente - Alliaria
Alfresco Day Madrid - Cliente - Alliaria
 
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...
Alfresco Day Madrid - Toni de la Fuente - cmis, wqs, dashlets, social content...
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

TTL Alfresco Product Security and Best Practices 2017

  • 1. Best Practices around Alfresco Security Phil Meadows & Toni de la Fuente 11th October 2017 - Tech Talk Live #110
  • 2. Topics ● Who We Are ● Responsible Disclosure ● Product Security Processes and Policies ● Security Deployment Best Practices ● Hardening ● Backup and Disaster Recovery
  • 3. Phil Meadows - Security Director • 20 years experience in the field of software engineering and operations in a mixture of technical and leadership roles. • Joined Alfresco in 2014 working in the DevOps team. • Security Director since July 2017
  • 4. Toni de la Fuente - Lead Security Operations - Senior Cloud Security Architect • Old timer Alfrescan • Senior Solutions Engineer -> Principal Solutions Engineer -> Senior Cloud Security Architect -> Lead Security Operations • Alfresco Security Best Practices Guide • Alfresco Backup and Disaster Recovery Whitepaper • Alfresco BART • Prowler • phpRADmin • Blyx.com • …
  • 5. Responsible Disclosure • What is it? • Why we need one? • Status Vulnerability Reporting
  • 6. Product Security 1 People Security aware Engineers 2 Tools Automated and Manual Security Analysis 3 Processes and Policies Response, Classification, Standards
  • 7. People • Secure Coding Workshop. – Hosted by 3rd Party – 4 day course – Covers basics of Web Application Security – OWASP Top 10 (2017 edition on its way!) • Regular Updates – Brown Bag Sessions – Lightning talks in Engineering meetups • Virtual Secure Coding Expert Team • Architectural Decision Records
  • 8. Product Development - Security Touchpoints Architecture Engineers IDE Source Code Repository Build Pipeline Release Process
  • 9. Architecture • Relies on People • Security Concerns considered up front • Architectural Decision Records • Secure Coding Experts
  • 10. Engineers IDE • No company wide agreed tools/solutions yet. • Sooner found, sooner fixed. • Good training tool.
  • 11. Source Code Repository • Pull Request Integration. • No solution found yet, investigating LGTM https://lgtm.com/ • Free for open source projects. – GitHub integration – Currently no GitLab integration • Security scan at pull request • Historical security metrics
  • 12. Build Pipeline • SonarQube https://www.sonarqube.org/ • Triggered by Maven goal • Code Quality good for Security • OWASP plugin - Security Dashboard
  • 13. Release Process • VeraCode https://www.veracode.com/ – Scan Binaries – Extensive Reports – Heavyweight • Third Party Penetration Testing – Manual and Automated security scans – Against a cloud hosted running environment
  • 14. Security Issue Classification • CVSS - Common Vulnerability Scoring System – https://www.first.org/cvss/ – https://www.first.org/cvss/calculator/3.0 • Gives a numeric score that we convert to a security level against which the engineering teams have agreed response targets. • Three security levels –High - Patch or hotfix –Medium - Hotfix or service pack depending on support level –Low - Included in next scheduled release
  • 16. What to do? • Keep security triad in mind: – Confidentiality – Integrity – Availability
  • 17. Solution also matters • Single tier or multi-tier • On-prem or in a cloud provider?
  • 20. • Network • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS • RedHat, Ubuntu, Suse • Solaris • Windows Server • File permissions • alfresco- global.properties • dir_root/contentstore • dir_root/solr • dir_root/lucene- indexes • Minimum privileges • Port redirect Network and Operating System
  • 21. Protocol/Service Port TCP/UDP IN/OUT Active Comments HTTP 8080 TCP IN Yes WebDav included FTP 21 TCP IN Yes Passive mode SMTP 25 TCP IN No CIFS 137,138 UDP IN Yes CIFS 139,445 TCP IN Yes IMAP 143 or 993 TCP IN No SharePoint Protocol 7070 TCP IN Yes Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the firewall Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the firewall SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in browser. Otherwise take it in to account in case of using a dedicated Index Server, Alfresco repository server must have access to this port IN and OUT NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS RMI 50500- 50507 TCP IN Yes Used for JMX management. Unless is necessary, do not open this port at the firewall Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2 JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2 JGroups 7801- 7802 TCP IN No Traffic Ehcache RMI between cluster nodes before 4.2. OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the firewall Firewall: Inbound ports
  • 22. Protocol/Service Port TCP/UDP IN/OUT Active Comments SMTP 25 TCP OUT No If you want Alfresco to send notifications, invitations, tasks, etc. Open this port from Alfresco to your corporate MTA DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB DB – MySQL 3306 TCP OUT Yes* It depends on the DB DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB DB – Oracle 1521 TCP OUT Yes* It depends on the DB DB – DB2 50000 TCP OUT Yes* It depends on the DB LDAP or AD 396 TCP OUT No If needed for authentication and synchronization LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization docs.google.com 443 TCP OUT No JGroups 7800- 7802 TCP OUT No If clustered before 4.2, only between nodes. Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2, only between nodes. Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as contentstore Remote storage CIFS 137,138 139,145 UDP TCP OUT No If a remote CIFS drive is used as contentstore Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3 is used as contentstore Alfresco Transformation Server 80,443 or 8080,844 3 TCP OUT No In case a remote Alfresco Transformation Server is used Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System Transfer Receiver Alfresco Remote Server 8080 or 8443 TCP OUT No In case of using Alfresco Replication Service between Alfresco servers Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required Third Party SSO 443 TCP OUT No Third party SSO services DNS 53 UDP OUT Yes Name resolution service Firewall: Outbound ports
  • 24. • Stay current • Service Packs, HF • Never run as root • Switch to SSL • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS • FTPs • LDAPS connection • DB Connection • Permissions inheritance • Custom roles • Review your logs • Change JMX default credentials • Change keystore password Best Practices 1
  • 25. • Audit • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools • Get to know connected users besides other tools • Get to know how to reset admin password • Control ticket session duration • Disable unneeded services • Disable guest user Best Practices 2
  • 26. • Encrypt configuration properties if needed • Mitigating brute force attack on user passwords • Use bcrypt • Third party auth system / Federated Best Practices 3
  • 27. • Cross-Site Request Fogery (CSRF) filters • Clickjacking mitigation • Iframes and phising attack mitigation • Share HTML processing black/white list • Site creation control • Filter document actions by user or role • Filter workflow by user or role • Change default Share session timeout Alfresco Share Security
  • 29. Backup and Disaster Recovery • Backup, Archiving, Disaster Recovery • Why? • Business impact • RPO (time between backups) and RTO (time taken to restore)
  • 30. Backup Procedure and Methods + Install + Config + Custom • What to backup? • Static / Dynamic • Order • Types • Cold • Warm • Hot 1. Index (index+cache) 3. Content Store 2. DB What about Zero-Downtime?
  • 31. Restore Procedure 1. Installation 2. Configuration 3. Customization 4. DB 5. Content Store 6. Indexes
  • 32. Best Practices: content deletion • Node deletion lifecycle • Why is important?
  • 33. • Delete content when it is deleted • Trashcan cleaner • Records Management • Wipe contentMore about node deletion
  • 34. Thanks! Toni de la Fuente @ToniBlyx Phil Meadows @meadowsp99