Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Course - Introduction to plugin security #1676

Closed
11 of 15 tasks
jonathanbossenger opened this issue Jul 1, 2023 · 2 comments
Closed
11 of 15 tasks

Course - Introduction to plugin security #1676

jonathanbossenger opened this issue Jul 1, 2023 · 2 comments
Assignees
@jonathanbossenger

Comments

@jonathanbossenger
Copy link
Collaborator

jonathanbossenger commented Jul 1, 2023
edited
Loading

Needs Assessment Statement

A short course to provide the new or intermediate developer knowledge on how to develop plugins securely, including an overview of common vulnerabilities, and how to prevent them

Target Audience

Courtney is a plugin developer who wants to ensure that her plugins do not expose any security vulnerabilities. She doesn't know where to find the relevant information, or what to look out for.

Course Objective

Beginner to intermediate WordPress plugin developers will learn about common security vulnerabilities, how they can be introduced, and what should be done to prevent them.

Outline #

Related Resources

Links to related content on Learn, HelpHub, DevHub, GitHub Gutenberg Issues, DevNotes, etc.

Guidelines

Review the team guidelines

Course Development Checklist

  • Needs Assessment Statement, Target Audience, Course Objective, and Outline created
  • Needs Assessment Statement, Target Audience, Course Objective, and Outline vetted by an ID and feedback given
  • Overall topic and Outline Vetted by a Subject Matter Expert and feedback given
  • Gather links to Support and Developer Docs
  • Review any related material on Learn
  • Course created and announced to the team for Q/A review
  • Course review completed and ready to publish
  • Course excerpt created and featured on Learn WordPress
  • Course announced to Marketing Team for promotion
@jonathanbossenger jonathanbossenger added [Content Type] Course Awaiting Triage Issues awaiting triage. See Training Team handbook for how to triage issues. labels Jul 1, 2023
@github-project-automation github-project-automation bot moved this to 👋 Ready to Create in LearnWP Content - Development Jul 1, 2023
@jonathanbossenger jonathanbossenger self-assigned this Jul 1, 2023
@jonathanbossenger jonathanbossenger added Draft in Progress and removed Awaiting Triage Issues awaiting triage. See Training Team handbook for how to triage issues. labels Jul 1, 2023
@jonathanbossenger jonathanbossenger moved this from 👋 Ready to Create to 🚧 Drafts in Progress in LearnWP Content - Development Jul 1, 2023
@smileBeda
Copy link

smileBeda commented Oct 13, 2023
edited
Loading

I am adding the rest of the topics here as I could not find more particular place (added one in a sub-ticket)

Another topic that usually gets forgotten completely is JS safety.
Things like these for example.
https://www.bleepingcomputer.com/news/security/invisible-characters-could-be-hiding-backdoors-in-your-javascript-code/
https://certitude.consulting/blog/en/invisible-backdoor/#:~:text=A%20few%20months%20ago%20we,even%20from%20thorough%20code%20reviews

Some other resources in regard of JS security.
https://gomakethings.com/how-to-reduce-your-risk-of-cross-site-scripting-attacks-with-vanilla-javascript/
https://gomakethings.com/injecting-text-instead-of-html-with-vanilla-js-to-reduce-your-risk-of-xss-attacks/
https://gomakethings.com/how-to-encode-strings-with-vanilla-js-to-reduce-the-risk-of-xss-attacks/
https://gomakethings.com/how-to-sanitize-html-strings-with-vanilla-js-to-reduce-your-risk-of-xss-attacks/

A often overseen detail is localisation - while the DOC meanwhile does get that part right, often it still causes confusion:
https://developer.wordpress.org/plugins/internationalization/security/#use-placeholders-for-urls

Another topic that IMO is part of "safe and secure" is code documentation and code style.
A code that is not documented, or badly documented, and/or does not follow at least some (bette: the WPCS) styling (Not speaking of security standards here) is very likely to be bad/vulnerable code.
Having Doc and guidelines/standards means the developer spent time thinking about his/her code and reflected over it. Having code that is just a bunch of - no matter how awesome and poetical - lines of code often means it is a pure copy paste or done in a hurry without the necessary "love". This part is a highly opinionated subject... so I guess it might be too hot to touch :)

I personally use PHPDocumentor and, of curse, WordPress WPCS standard.
The Documentor is worth gold: too often you will realise after creating a doc that ... oh darn that method actually states to return string but returns array. And so on.

@jonathanbossenger
Copy link
Collaborator Author

The content for this course matches the module on developing securely in the Beginner Developer Learning Pathway, therefore this course has been "merged" into that pathway.

@github-project-automation github-project-automation bot moved this from 🚧 Drafts in Progress to 📜 Published or Closed in LearnWP Content - Development Jan 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonathanbossenger jonathanbossenger

Labels
None yet
Projects
LearnWP Content - Development
Status: 📜 Published or Closed
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonathanbossenger @smileBeda @kaitohm