Development talk:Security: Difference between revisions
From MoodleDocs
No edit summary |
|||
| Line 8: | Line 8: | ||
The page is organised around the common types of security vulnerability. For each one, it explains | The page is organised around the common types of security vulnerability. For each one, it explains | ||
# what the danger is, | # what the danger is, | ||
# how Moodle is designed to avoid the problem, | # how Moodle is designed to avoid the problem, | ||
# what you need to do | # what you need to do as a Moodle developer to keep your code secure, and | ||
# what you can do as an administrator, to make your Moodle more secure. | |||
The explanation of each vulnerability is on a separate page, linked to in the list below. | The explanation of each vulnerability is on a separate page, linked to in the list below. | ||
| Line 26: | Line 27: | ||
* Configuration information leakage | * Configuration information leakage | ||
* Session fixation | * Session fixation | ||
* Denial of service | * [[Development:Security:Denial of service|Denial of service]] | ||
* Brute-forcing login | * [[Development:Security:Brute-forcing login|Brute-forcing login]] | ||
* Insecure configuration management | * Insecure configuration management | ||
* Buffer overruns, and other platform weaknesses | * Buffer overruns, and other platform weaknesses | ||
Revision as of 11:31, 6 November 2009
I am working on a revision of these guidelines. I am going to hack around on this talk page before copying the result to the main page.
Start of new page contents.
This page describes how to write secure Moodle code that is not vulnerable to anything that evil people my try to throw at it.
The page is organised around the common types of security vulnerability. For each one, it explains
- what the danger is,
- how Moodle is designed to avoid the problem,
- what you need to do as a Moodle developer to keep your code secure, and
- what you can do as an administrator, to make your Moodle more secure.
The explanation of each vulnerability is on a separate page, linked to in the list below.
This page also summarises all the key guidelines.
Common types of security vulnerability
- Unauthenticated access
- Unauthorised access
- Cross-site request forgery (XSRF)
- Cross-site scripting (XSS)
- SQL injection
- Command-line injection
- Confidential information leakage
- Configuration information leakage
- Session fixation
- Denial of service
- Brute-forcing login
- Insecure configuration management
- Buffer overruns, and other platform weaknesses
- Social engineering
Summary of the guidelines
- TODO
See also
CategoryDeveloper Category:Security
End of new page contents.
Please comment below.
