TYPO3 Association 2nd Quarterly Report 2009

Posted on August 18, 2009 by Marcus.

I'd like to use this posting to point to an unfortunately underestimated or even unknown possibility to get to know what's going on in the TYPO3 world.

Every three months, the TYPO3 Association is publishing (or at least is supposed to be) a Quarterly Report. It's a nice way to get informed about what several (official) TYPO3 Committees / Teams are currently doing or planning.

Today, the T3A has published the 2nd Quarterly Report for 2009. The TYPO3 Security Team is also mentioned in this document.

In detail:

• Several TYPO3 Security Team members met at the TYPO3 Developer Days 2009. Such official TYPO3 events are welcome possibility to feel again the community / team spirit that might got missing during the year. It also allows to discuss things that are better to be addressed in face-to-face meetings.
• The TYPO3 Security Team lacks of new members. New ones should be security-minded people with a deeper knowledge in TYPO3 and willing to regularily spend a certain amount of time on the team work.
• A newly created page called resources has been added to the TYPO3 Security Team section on typo3.org. It already keeps several documents that help to stay up-to-date on TYPO3 Security - and it keeps growing.
• New team internal project called Incident Handling System (IHS).

Especially the last item needs a bit of explanation:
The TYPO3 Extension Repository (TER) is constantly growing. With about 4000 different extensions, the TYPO3 Security Team spends almost 100% of its time on extension vulnerabilities.

The bulletin publishing process alone can eat up several hours for a single bulletin. The bulletin is a standard content element. It needs to be in a common form. Every mentioned extension and linked resource has to be manually inserted, links need to be double-checked. Vulnerable extension versions need to be removed from the repository. Bulletin information must be reflected in the according issue in the separate TYPO3 Security Team Trouble Ticket System. The bulletins then will be proof read, comments reflected in the bulletin. New extension versions with the security fixes need to be uploaded. Besides to the bulletin, a dedicated mailing list posting and news item has to be created.

You certainly understand that we really like to reduce the time spend on such tasks. The planned Incident Handling System will change that. Bulletins by default will be in a common structure, extensions and their versions can be selected, automatically added and vulnerable extension versions marked insecure. Mailing list posting and news item are instantly created when publishing the bulletin.

I hope to see it implemented soon.

If you or your company is able to contribute resources (manpower or money) to this IHS project, please don't hesitate to contact the TYPO3 Security Team! Any help is appreciated.