WHMCS security team and coding standards

[irh]

Hi, Matt.

 

Have you heard of security teams? Many respectful web application have it (http://drupal.org/security-team). The major work is to ensure your web app is secure (I was shocked when received an email about mysql injection vulnerability reported by an "ethical programmer"). In other words, if the "ethical programmer" would not report it - you wouldn't even know about it.

 

The security team's main responsibilities are to write (and maintain regularly) variety of tests to run them testing vulnerabilities of your web application and modules. Other responsibilities are: provide a means for your clients to report them. At the moment this forum is the only way to communicate with you.

 

I was recently working with Onverify SMS order validation - a user contributed module - and I was ABSOLUTELY HORRIFIED by the code of the module. Inaccurate, impossible to read and written badly, all MySQL queries have no values validation/cleaning assuming they all are clean.

I had to rewrite if for our site to ensure MySQL injection is impossible.

My guess is lots of community modules are the same.

 

Please update us (the WHMCS community) with the following:

 

1. Your plans about having a dedicated security team (refer to http://drupal.org/security-team) for best practices.

2. Introducing and maintaining coding standards for community modules.

3. Having central repository (e.g. Git, SVN or similar) for community modules, so we do not download them from "who nows what we are getting".

4. Moderators reviewing yours and the community modules (Onverify is a good example) to comply with coding standards and security team testing the modules.

5. Your plans about secure hosting (e.g. FireHost or alike).

[bear]

Many respectful web application have it (http://drupal.org/security-team).

A quick look on Google shows a load of results about Drupal being hacked. Just sayin'.

[tsiedsma]

In reference to your comments about community modules, they are "Use at your own risk" and it is stated very clearly. If you are concerned about community addons, don't download or buy them. If you do, only get the open source ones so you can review the code and ensure it fits your needs.

 

As for WHMCS, just like any product, some things slip through the cracks. Do you think Microsoft has a security team that reviews Internet explorer before it is released? Yet there are constantly patches and service packs to address security issues, not all of which are identified by Microsoft Personnel. You need to be a little bit more realistic and and embrace reality, no software is perfect, they all have bugs and glitches and potential exploits. What sets a developer apart from the rest is how they handle those issues and notify customers and release patches. Based on WHMCS's communication about all security related events over the last few weeks, they will have my business as long as I need a billing solution!

[easyhosting]

So lets say Matt employs a Security team (which do you think they will work for $0) i dont think so. This would then mean a dramatic increase in the cost of a WHMCS licence, therefore pricing them out of the market.

[m8internet]

So lets say Matt employs a Security team (which do you think they will work for $0) i dont think so

Whether WHMCS employs a person (existing employee), contractor, or team, it will cost money

This is a matter for WHMCS, and personally I don't think they should publish or communicate any further details on this, other than a security policy is in place

[bear]

So lets say Matt employs a Security team (which do you think they will work for $0) i dont think so. This would then mean a dramatic increase in the cost of a WHMCS licence, therefore pricing them out of the market.

That would be one of the costs of doing business, and a very good idea to do occasionally. No need to keep anyone on full time for it, but an audit each quarter or at least semi-annually would be a very good expenditure. Increases trust in the app, keeps security issues that may creep in from becoming something more than it should and so on.

Personally, I'd be willing to bet none of the competing products in this price range do any such thing. Could be a selling point...

[easyhosting]

That would be one of the costs of doing business, and a very good idea to do occasionally. No need to keep anyone on full time for it, but an audit each quarter or at least semi-annually would be a very good expenditure. Increases trust in the app, keeps security issues that may creep in from becoming something more than it should and so on.

Personally, I'd be willing to bet none of the competing products in this price range do any such thing. Could be a selling point...

 

i agree this way, but the way i read the OPs statement was on a full time basis, which as i stated would most likely mean a major price increase to cover this

[disgruntled]

1. Your plans about having a dedicated security team (refer to http://drupal.org/security-team) for best practices.

Costly but doable per bears post

2. Introducing and maintaining coding standards for community modules.

costly, unless the people from the community were checking the standards are kept (would you like the job)

3. Having central repository (e.g. Git, SVN or similar) for community modules, so we do not download them from "who nows what we are getting".

Not a bad idea, but im sure WHMCS has its own repository right here?

 

4. Moderators reviewing yours and the community modules (Onverify is a good example) to comply with coding standards and security team testing the modules.

I guess i answered this

 

5. Your plans about secure hosting (e.g. FireHost or alike).

i think this is already in the pipeline or done. but no host is infallible when it comes to employing your only as good as your weakest employee

[danami]

My recommendations:

 

1. Start using an automated web application security scanner like : http://www.acunetix.com/vulnerability-scanner/ (that is how most of the hackers are finding their exploits - with fuzzy testing).

 

2. Hire a respectable security firm to do a code audit for each release. (It's always better to have someone else look at your code).

 

3. Update the "Best security Practices" wiki to include removing code in your web tree that is not used. Most of the time a user only uses a limited number of server, gateway, and payment modules for their install. Anything not used should be removed from the web tree.

Edited June 13, 2012 by danami

[disgruntled]

My recommendations:

 

1. Start using an automated web application security scanner like : http://www.acunetix.com/vulnerability-scanner/ (that is how most of the hackers are finding their exploits - with fuzzy testing).

 

2. Hire a respectable security firm to do a code audit for each release. (It's always better to have someone else look at your code).

 

3. Update the "Best security Practices" wiki to include removing code in your web tree that is not used. Most of the time a user only uses a limited number of server, gateway, and payment modules for their install. Anything not used should be removed from the web tree.

 

 

i have done step three, i dont see a need to have masses of modules i just dont use, i have my specific gateways in, and same on the server/provisioning modules, no point having a massive list of gateways when i only use three.

[slim]

For those of you winging about the price of WHMCS - I say? HUH? Its the central management platform for your business - Its security is the most important thing in your business. If they pay security experts to ensure its as close to 100% safe as possible I would be prepaired to pay more for WHMCS than I do now. its cheap.

[uname-r]

+1 on this!

 

I think with what happened recently (ugnasi), if whmcs open a security department to test the addons + whmcs itself, this will show us they really care about security, and such things won't happen due to whmcs security issues. This injection vulnerability was probably also present on the whmcs website, since they are using their own software on their website.

 

I think whmcs should do something not just in regards to whmcs itself, but also the community addons. Addons should be verified, tested and delivered encrypted with ioncube by whmcs itself, same as Google App Store.

 

I think there are aditional income whmcs can get by offering such value added security trust service to their customers:

 

- for example : i suggest to charge something to add/download some verified versions of addons from/to the whmcs store (it's a great promotion tool for developers, and i am pretty sure some of them would be welling to pay a little to get their modules verified and approved by whmcs, and customers would be willing to pay a little extra to download a verified version, instead of the one available on whmcs website!) .

This way, they should get back the money they spent on the security team (or at least, a part of it).

 

This would be a great way to add more trust to the whmcs product.

 

I think this can be benefical for sales and security, for your customers (too many companies are using addons, while they don't know the way their code was written) and whmcs own business website.

 

Thank you for reading

 

 

 

Hi, Matt.

 

Have you heard of security teams? Many respectful web application have it (http://drupal.org/security-team). The major work is to ensure your web app is secure (I was shocked when received an email about mysql injection vulnerability reported by an "ethical programmer"). In other words, if the "ethical programmer" would not report it - you wouldn't even know about it.

 

The security team's main responsibilities are to write (and maintain regularly) variety of tests to run them testing vulnerabilities of your web application and modules. Other responsibilities are: provide a means for your clients to report them. At the moment this forum is the only way to communicate with you.

 

I was recently working with Onverify SMS order validation - a user contributed module - and I was ABSOLUTELY HORRIFIED by the code of the module. Inaccurate, impossible to read and written badly, all MySQL queries have no values validation/cleaning assuming they all are clean.

I had to rewrite if for our site to ensure MySQL injection is impossible.

My guess is lots of community modules are the same.

 

Please update us (the WHMCS community) with the following:

 

1. Your plans about having a dedicated security team (refer to http://drupal.org/security-team) for best practices.

2. Introducing and maintaining coding standards for community modules.

3. Having central repository (e.g. Git, SVN or similar) for community modules, so we do not download them from "who nows what we are getting".

4. Moderators reviewing yours and the community modules (Onverify is a good example) to comply with coding standards and security team testing the modules.

5. Your plans about secure hosting (e.g. FireHost or alike).

Edited December 6, 2012 by uname-r

[easyhosting]

At the moment this forum is the only way to communicate with you.

 

 

are you sure of this

 

http://www.whmcs.com/get-support/

https://twitter.com/whmcs

http://www.facebook.com/whmcsfans

http://www.linkedin.com/groups/WHMCS-Billing-Support-Software-4132739?home=&gid=4132739&trk=anet_ug_hm

[DavidBee]

are you sure of this

 

http://www.whmcs.com/get-support/

https://twitter.com/whmcs

http://www.facebook.com/whmcsfans

http://www.linkedin.com/groups/WHMCS-Billing-Support-Software-4132739?home=&gid=4132739&trk=anet_ug_hm

 

WHMCS team are not very response via twitter or Facebook. I have seen them commenting on Facebook but never directly responding to customers on twitter.

[easyhosting]

WHMCS team are not very response via twitter or Facebook. I have seen them commenting on Facebook but never directly responding to customers on twitter.

 

but my comment was directed at

At the moment this forum is the only way to communicate with you.

 

which my links provide other means to communicate with WHMCS show that this forum is NOT the only way of communication

[b0r3d]

So lets say Matt employs a Security team (which do you think they will work for $0) i dont think so. This would then mean a dramatic increase in the cost of a WHMCS licence, therefore pricing them out of the market.

 

So to keep costs low, let's avoid it is what you're saying? That logic makes zero sense. cPanel has their own team who constantly checks it's own software for these very things. Instead of 30% profits drop profits to 25% for example and that 5% goes to paying someone to "break" the software.

 

To continue with other comments.

 

It's not an unheard of option and anyone who argues it is truly niave. It's up to Matt if he want's to do it but quit giving excuses as to why they can't, shouldn't, won't or comparing WHMCS to other software. WHMCS is as low on the pole as it gets comparing to microsoft so let's not even go there.

 

This software is set at "budget" prices, going to premium prices all the while having a secure software isn't a horrible idea.

[easyhosting]

So to keep costs low, let's avoid it is what you're saying?

 

NO thats not what i was saying, i suggest you read again

 

This would then mean a dramatic increase in the cost of a WHMCS licence

 

yes a security team would be an advantage, but this would mean an increase in the cost of WHMCS

 

cPanel has their own team who constantly checks it's own software for these very things.

 

well maybe as cpanel have reps on this forum then they may also have a secuirty team looking at WHMCS issues.

[ChetanAlpha]

Could it be possible for all.....