The dummy version to test your website security

Security is something that is important when the public has the ability to access the services. The ability for people to penetrate a network is dummy proof and my grand ma could do it with guidance. I do not want to show someone how to do this. The reason is because that will just increase the amount of people trying to penetrate the network.
My personal goal is to increase perception and help teach people to lock the doors to your servers. The problem is IT needs to approve a reason to spend the money. Identify specific security failure and risk help to justify securing your computer infrastructure. It is easy to justify a few thousand dollars expense if you are not the next target with a average of 4 million dollar cost due to a hack.
Cross site scripting error
import proper password storage
– default password (ask you vendor and verify this is not used)
– security gardening steps
lack of vpn and firewall
legal requirements based on jurisdiction
If any of the above security check fail you need to get a security audit and resolve the security failers right away. Treat the failure as a warning and assume you have additional issues. The failure is the bird in the coal mine. Each day you wait to fix the issue is another day you can be attacked. Each day is another oppurtiny for your company finance and data to be attacked. Fix your security and focus on security for all new development.
 
 

Custom Workflow Security in Sitecore

One of the great things about Sitecore is the ability to extend and customize basic Sitecore. Recently I had a project where the client wanted the ability to specify workflow security per item. The standard Sitecore workflow allows to specify the security per workflow state.
To implement this functionality I had to create a class that extends Sitecore.Workflows.Simple.Workflow.
public class CustomWorkflow: Sitecore.Workflows.Simple.Workflow, IWorkflow
{
}
Next we need to give the ability to filter what items are displayed in the workbox and what workflow commands a user can execute. In order to filter what items are displayed in the workbox the workflow needs to override the GetItems (string) function. This function is called by the workbox to get the list of items to display.
public override DataUri[] GetItems(string stateId)
{
List<DataUri> list = base.GetItems(stateId).ToList();
DataUri[] finalList = list.Where(p => HasWorkflowAccess(p)).ToArray();
return finalList;
}
The above function calls the standard workflow GetItem function. Then the items are filtered out to only return the items that have access. The next step is to restrict access to an item in the workflow and to restrict what commands a user can execute. To do this we need override the GetCommands (Item) function. This function is called to get the list of commands the user can execute per item.
public override WorkflowCommand[] GetCommands(Item item)
{
Assert.ArgumentNotNull(item, “item”);
if (!HasWorkflowAccess(item))
return new WorkflowCommand[0];
WorkflowCommand[] commands = base.GetCommands(item);
return commands;
}
The above function checks to see if the user has access to the item. If the user does not have access no commands will be returned. If the user does have access to the item it will return the commands that are available using the standard Sitecore workflow.
With the following customization we have the ability to specify workflow security at the item level.

The pain of the p tags in Sitecore

One of the things that I feel like are something that has not been really decided on is P tags in a CMS system. There are multiple ways to handle this issue but none of them are the perfect solution.
Wrap around a p tag around the fields. What happens when the p tags are already included? Hide empty p tags only works in everything except for for IE
The css should support the p tag and no tag. I would agree but sometimes it is going to take more effort to support than it is worth it.
Suck it up and always support p tags. Another approach is to force the client to make sure the p tags are generated and if not show them how to fix this. This only happens when the client does not enter any html.