Silverstripe CMS’s approach to secure product development

Keeping Silverstripe CMS users safe is one of our highest priorities as maintainers. In this blog post, we lift the curtain and explain how we approach product security and how we handle vulnerabilities once we discover them. We’ll also give you some advice on how to harden your website to make it more secure.

Our approach to product security

No modern Web Application can ever be 100% vulnerability free. We strive to achieve a balance between ease-of-use and security.

For example, we could require content authors to re-authenticate every time they save a page or ask a second user to confirm every action. That would provide a high level of security, but at the cost of a very cumbersome user experience.

We don’t assume that our product will never have security defects. Instead, we try our best to manage the risks with any vulnerabilities that might be present in our product.

• We minimise the risk of introducing vulnerabilities in the first place by adhering to secure development practices and by requiring peer review of any code change.
• We reduce the risk that new vulnerabilities will ship by performing technical risk analysis of substantial new features and by having independent security auditors review our releases every 6 months.
• Our process for managing security issues make it less likely that vulnerabilities will go undetected and be exploited in the wild.

Silverstripe recently renewed its ISO 27001 certification. ISO 27001 is an international standard for managing information security. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). This is another way that we ensure our processes are up to industry standards so we are in the best position to protect our customers and the Silverstripe CMS community.

Handling security issues

Any moderately complex modern web applications will occasionally be subject to vulnerabilities. Silverstripe CMS is no exception. If you are a software vendor in 2024 and you never report any vulnerabilities in your product, it’s probably that you are not looking or that you are not disclosing vulnerabilities that you patch.

For example, here’s the number of vulnerabilities disclosed by a few common CMS vendors in 2023.

• Drupal: 8 vulnerabilities
• Sitecore: 8 vulnerabilities
• Wordpress: 9 vulnerabilities
• Adobe Experience Manager: 217 vulnerabilities

For comparison, Silverstripe patched 7 vulnerabilities in 2023. I’m not trying to ding those other products. We all have slightly different approaches and features. The total number of vulnerabilities disclosed is not in-and-of-itself an indication that a product is more or less secure than another.

Like these other CMS vendors, Silverstripe has adopted industry best practices in terms of vulnerability management.

• How to report security vulnerabilities is outlined in our official documentation. Developers and security researchers can report potential vulnerability easily and confidentially.
• Our managing security issues process provides clear steps on how we review, prioritise, patch and disclose vulnerabilities.
• Our major release policy and minor release policy define a clear and predictable support timeline where customers can expect security patches.
• When disclosing vulnerabilities, we assigned them a Common Vulnerabilities and Exposures (CVE) identifier and a Common Vulnerability Scoring System (CVSS) score. These industry standards make it easy for customers to become aware of vulnerabilities affecting them and evaluate what action to take.

Hardening your Silverstripe CMS project

Silverstripe CMS aims to meet the needs of a wide array of organisations. Some of our customers have simple brochure sites that are only used to display basic public information. Others are financial institutions that manage billions of dollars in assets and use their Silverstripe CMS to communicate with their customers.

We generally try to be secure by default by adopting sensible configuration out-of-the-box. However, different customers will have different risk profiles and different security requirements.

The customisability and modularity of Silverstripe CMS allows developers to tweak the settings of individual websites and adapt it to the risk profile of different customers.

Here are some common - and not so common - configuration changes you could consider to your Silverstripe CMS site to further mitigate risk.

Low cost options to reducing risk

Those are quick and easy to configure options to improve the security of your Silverstripe CMS site. Even the basic low risk Silverstripe CMS website should consider enabling these features.

• Install and enable our multi-Factor authentication (MFA). If it’s already installed, make sure it’s mandatory for users to use it.
• Install the session manager module to better manage user sessions.
• Impose stronger password requirements.
• Review and restrict permission of users. We occasionally see websites where all users have full administrator privileges. By limiting the permissions of users to the ones they actually need to do their job, you minimise the potential damage if their accounts are compromised.

Medium cost options to reducing risks

These options while not very difficult to implement still require a bit more work and configuration.

• Restricting administrative routes to specific IP ranges with the madmatt/silverstripe-iplists module can minimise the risk that someone outside your office will be able to access restricted sections of your website.
• Installing the silverstripe/auditor module will help identify illicit action if someone manages to gain unauthorised access to your website.
• Configuring Content Security Policy (CSP) headers is a good way to mitigate against possible XSS attacks.
• At Silverstripe, we use the silverstripeltd/silverstripe-csp module in many of our own projects.
• nswdpc/silverstripe-csp and firesphere/cspheaders are other popular options for enabling CSP headers on a Silverstripe CMS site.

Advanced risk mitigation options

Those techniques are a bit more advanced and require a fair bit of customisation to adapt them to your specific use case.

• You can configure "Encryption at REST" on sensitive data hosted on your website.
• We have used the madmatt/silverstripe-encrypt-at-rest for this purpose.
• Roël Couwenberg’s Lightning Talk: Vault Encryption from last year’s StripeCon is also a great option to consider.
• Configure "sudo" mode to extend it to more scenarios or to your specific use case.

Managing your risk profile

Some of the actions mentioned in the previous section may be completely overblown for your use case. So you certainly shouldn’t blindly implement all of them.

Finding a good technology partner can be invaluable in better understanding and defining your risk profile.

Probably, the most important thing you can do to keep your site secure and protect your users is to regularly apply updates and security patches to your websites. As I mentioned above we regularly ship security patches to address vulnerabilities, but you will only get those patches if you update your websites.

If you don’t have an in-house development team to take care of deploying those patches, Silverstripe does offer a Code Care service where our bespoke teams will look after your website for you and keep it up to date.