![Radio Liferay artwork](https://is2-ssl.mzstatic.com/image/thumb/Podcasts4/v4/fd/75/ae/fd75aeac-9e7e-57a2-9377-3eb4de2b334a/mza_6631599921613126955.jpg/100x100bb.jpg)
RL049 Security with Tomáš Polešovský
Radio Liferay
English - November 03, 2015 12:00 - 27 minutes - 12.7 MB - ★★★★★ - 10 ratingsTechnology Education How To english liferay olafkock Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
It's been a long time and finally... Radio Liferay is back with several episodes in the queue. Today, Tomáš Polešovský starts of by talking about Liferay's security team and -procedures as well as his work within that team. Tom has already been a guest on Radio Liferay's ancient episode 9
(More notes and links available in HTML version of this paragraph and in the blogpost linked to the episode)
It's been a long time and finally... Radio Liferay is back with several episodes in the queue. Today, Tomáš Polešovský starts of by talking about Liferay's security team and -procedures as well as his work within that team. Tom has already been a guest on Radio Liferay's ancient episode 9
Here are some of the topics that we talked about:
The glorious glamorous days one has on the security team (consisting mostly of email, tickets, pullrequests)
Different ways to make Liferay more secure
Gathering feedback from community and customers
Monitoring Liferay Forums and full disclosure mailing lists (also about the various libraries that are used in Liferay)
Scan source code for problems
Liferay cooperates with external security researchers for penetration testing
Customers perform external audits as well.
An example of an actual audit report: 49 very alarming false positives vs. 1 real cornercase
The security issue fixing process
The first security episode with Sam Kong
Link to community security update page. CE updates always only against the latest GA version
Some low hanging fruits in secure Liferay administration (on the fly)
Disable "create new accounts" if you don't want random users to create new accounts (e.g. in an intranet)
JSONWS access
Disable Control Panel, add "My Account" to user's personal pages instead
The securing Liferay series and "additional Resources" here
What will happen with Liferay 7?
OAuth, and the related Radio Liferay episode 44 with Stian
SQRL (disclaimer: I misled Tom by mispronouncing this library - he's aware, but there's no implementation - yet - for Liferay)