Hi! I am Thomas, General Manager of naw.info.
Today I would like to write something about the handling of TYPO3 Security Issues from a perspective of a TYPO3 agency.
Nowadays, due to the great work of the TYPO3 Security Team, some security holes have been found in the TYPO3 Core and a lot of them in third party extensions. You may have the impression that this happens more often than ever before.
But this does not make TYPO3 less secure than other Systems! Why?
Software has errors because Software is written by humans.
Simple as it is, this applies to every system (WordPress, Drupal, Microsoft Windows 7, <insert a software product here>).
It is not a Security problem if holes are found, it is a problem if they are present but not found. Keep this in mind while reading the next lines.
It feels natural to me, that if a security hole is found and a fix is ready, a Security Bulletin is published to inform all of us. This gives us as an agency – and even more important our customers – the assurance and faith in the Software we love.
I sometimes hear the argument that it might not be good for the TYPO3 brand if the security bulletins are published so often because this could make customers think that TYPO3 is insecure.
To be honest, I do not understand that argument. It is the other way around! Isn’t it a major advantage that we have people dedicated to take care for security, dig into code to find problems and report the findings to the community? Isn’t this one of TYPO3’s unique selling proposition?
I think the answer here must be: Yes!
To avoid customers from being afraid that TYPO3 is insecure, one „solution“ that is often proposed: Release Security Bulletins only once in a certain period – for example once a month. Remember the sentence from above? „It is not a Security problem if holes are found, it is a problem if they are present but not found.“ – In my eyes a bulletin must be published directly after a fix is ready.
I also think that in all the above we find the answer to the question how we should communicate TYPO3 Security Bulletins to our customers:
- Inform your customers
Inform them on the security policy the TYPO3 project has. Explain that this is a USP, not a threat!
- Help your customers
Keep them informed if a security hole is found and the installation of the customer is affected. Also inform the customers if their installations are not affected. Explain your customers their options. Install extension updates and TYPO3 Core updates if needed. Make sure you have a contract in place that covers theses tasks before you start a project.
- Walk away
If you have customers who think TYPO3 is less secure than other systems only because of the amount of Security Bulletins: Walk away. They’re not the kind customers you would like to have. Sounds sad and this is a hard decision, but you will not regret that you made that decision – believe me.
What do you think? What do you do in your daily work when it comes to security? I’d love to hear from you, please leave a comment.