Andrew Nacin, lead developer of WordPress, just finished a talk at Loopconf, where he talked about a series of related WordPress security fixes that spanned two years, with the final fix included into WordPress core under the guise of Emoji support.
No strict mode on WordPress databases
At a base level, the problems originated in that WordPress did not enable strict mode for MySQL. If
STRICT_ALL_TABLEShas been enabled, the security vulnerability that was addressed in WordPress 4.2 would not exist.Without strict mode, MySQL allows more flexible inputs, and doesn’t require the same level of precision in what it allows. For example, a long username would just truncate to the maximum allowed characters, versus be rejected.
Since MySQL can do strange things without strict mode enabled, there are obscure but significant ways for hackers to take advantage.
Github: Responsible Disclosure of Security Vulnerabilities
We want to keep GitHub safe for everyone. If you’ve discovered a security vulnerability in GitHub, we appreciate your help in disclosing it to us in a responsible manner.es
Bounty Program
Like several other large software companies, GitHub provides a “bug bounty” to better engage with security researchers. The idea is simple: hackers and security researchers (like you) find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash.
Database Security: Hierarchy
OLAP encourages more complex security scenarios, especially for ad hoc access. By comparison, it’s difficult to set up a relational database to protect detailed data (sales by sales rep), but provide more open access to summarized data (sales by region). This is especially true for ad hoc access on the relational side. Security is significantly more powerful on OLAP because of the semantics about parents and children inherent in the access languages.
Educating Girls: A National Security Issue
She understood that educating girls isn’t a frilly “soft” issue, but a way to transform a country to make it less hospitable to extremists. No one argued more presciently that women’s rights are security issues.