Most of the security session focused on how to secure the umbraco administration area. The two biggest security issues at the moment relate to the fact that most umbraco installations do not rename the /umbraco/ folder, making it an easy target for hackers. This is further compounded by the fact that there is no logging of failed login attempts and accounts are not locked out after multiple failed attempts.
There were a number of approaches put forward to address this:
1) Rename /umbraco/ folder to make it harder for hackers to find.
2) Possibly make it easier to separate the admin portion of the site in future versions so it can be put behind a firewall
3) Add support in the config files to limit access to the login page to a particuar IP Address or IP Range
There was also a lot of discussion about how to harden an umbraco install. It was noted that if content creation occured in a stage environment and was then 'pushed' to production, security settings could be a lot tighter. Some action points from this part of the discussion were:
1) Need better documentation of the minimum read/write file permissions that need to be applied to folders.
2) Need documenation on what files or folders can be removed from production when content editing happens in a stage environment
3) Possible creation of a package (dashboard/application) to 'recheck' file permissions on a regular basis (similar to how they are checked during install)
Misc Topics
1) Penetration testing - Would be great if anyone who has had their umbraco site profesionally tested could share their results with the user community.
2) Addition of audit trails to other areas of umbraco admin such as settings would be useful
3) Would be useful to have a package to backup/restore umbraco site and database which could be run prior to installing any new packages
4) Would be good to have a 'cleanup tool' to enable users to remove audit trail information which is over a certain age.
Further info:
For those who are interested, this is a very good web site looking at web application security. http://www.owasp.org