Joomla Security Strike Team

A CMS-powered website has all the ingredients for an IT security nightmare: it is publicly accessible, it’s running on powerful machines with great connectivity and the underlying system is used countless times around the globe, making it an attractive target for attackers.
The Joomla Security Strike Team (JSST) is working hard to make sure that this nightmare doesn’t become reality for Joomla users!

Like any other team in the Joomla Project, the JSST is an all-volunteer team that is spread around the globe. This geographical distribution is important in our case, because the security business is often a time critical one - having members from different time zones is a big advantage here, because it enables the team to be "on duty" pretty much 24/7.

The team’s job can be split into 4 different subtasks:

  1. Monitoring: The team members are running dozens of closely monitored sites to become aware of new attack scenarios as fast as humanly possible. Luckily these probes are rarely required, because 99% of all security issues are communicated confidentially to the team, bringing us to the next task
  2. Issue handling: When a new security issue is reported, before anything else the report needs to be acknowledged. Once this has been done, the team starts diving into the details to verify the issue and to determine how dangerous it is. The later part is extremely important, because often reports are only “the tip of the iceberg” and the underlying cause is a different one. I can proudly say that JSST does a fantastic job here, making sure that issues are properly patched
  3. Issue patching: Once the core problem has been identified, a fix needs to be developed and tested. The big challenge here is to test as many scenarios as possible with a very small team and no opportunity to get feedback from third parties (i.e. extension developers)
  4. Pro-active audits: Before new features are merged into core, JSST does automated and manual checks on the new code being included in that feature. That’s a great way of fixing problems even before they ever occur.

Communication is key

Besides the technical part, JSST’s work is heavily about ongoing communication with various partners.

The first group of partners are security researchers.
They constantly look for unknown issues in the Joomla core, simulate attacks and report threats to the project. Luckily it has become an industry standard to do these reports privately to give the vendor (so in this case that’s us) enough time to fix the issue and release a secured version. This process, called responsible disclosure, works remarkably well and I can’t thank our reporters enough for supporting us in such a professional way. In exchange for those reports, the researchers normally expect some "visibility" (provided by giving credits in the security announcements) and most importantly, they expect some appreciation and one-to-one communication. The latter should be a no-brainer but surprisingly it’s not in many closed- and open source projects and that’s why Joomla frequently gets positive feedback for its communication with researchers.

The second group of partners has become a game changer for the JSST in the last couple of years: web hosts!
In the Joomla world, we often see many sites being hacked after critical releases, because Joomla site owners don’t update their installations in time - "in time" is the interesting part here, because for really critical attacks, a user may have little more than 10 hours before the first automated attacks begin. To work around these slow-updating users, the Security team does not only provide the actual patch but also instructions on how to filter potential attacks with server side measures. This information is sent to numerous web hosts, security companies and CDN providers around the globe at the exact same time as the release happens, to allow these companies to protect millions of users by just adding a filter rule with a single click.

Last but not least, the team also needs to communicate with the Joomla community. We need to reach out to the CMS Maintainer team to coordinate security releases, we work together with the Marketing team to make sure that important information makes its way to the users and we also educate users and developers on security-related topics, to generally raise awareness on the importance of proper security measures.

Joomla takes security seriously

The JSST has a tremendous responsibility. Our job is to protect millions of websites against attacks, keeping up with new threat scenarios that constantly pop up. I can proudly say that the team takes this responsibility very seriously and does a great job by not only taking a passive role and fixing reported issues but pro-actively making the CMS more secure. With our manual and automated audits, the monitoring and architectural security enhancements for new major versions, we try hard to solve issues before they appear.
We prevent your security nightmares from becoming reality!

David Jardin, JSST Team Lead