The Common Web Platform has been set up to be a highly secure platform. As an agency on CWP, you’re supported with a service that prioritises security practices, and a product that is proactively maintained and assessed to ensure security threats or vulnerabilities are managed with a focus on your experience.
We’re changing the way we assess security issues to make the impact to your site clear, and we’re doing more to communicate known issues that are identified after a release.
More reliable impact rating through CVSS
When a security incident arises that relates to a threat, risk, or an actively exploited security vulnerability in the SilverStripe CMS, SilverStripe assess the impact and assigns an identifier and a security rating.
Our previous severity rating of critical/high/medium/low split with plain English definitions has met the needs of organisations using the SilverStripe product, but for agencies on CWP, the rating wouldn’t take into account the additional protection already provided through the platform (e.g the Web Application Firewall or agency specific IP whitelists).
For this reason we’ve found that the Common Vulnerability Scoring System (CVSS)(external link) helps to provide a more robust impact rating, by applying a CWP-specific CVSS Environmental Score that reflects the additional protections already provided through CWP. Moving forward, you’ll have a clear understanding on the impact to your CWP site with a CVSS score being applied to all product security issues that we announce in the future. These won’t apply to infrastructure vulnerabilities, which are handled on your behalf.
CVSS is the industry standard for large open source projects which are depended upon by thousands of organisations all over the world. You can read how it’s also being adopted by the SilverStripe open source product(external link).
Keeping up to date with security announcements
There are two main security announcements from CWP that your Stack Manager and Release Manager should be aware of:
- Those relating to CWP infrastructure, and;
- Those relating to the SilverStripe CMS
Maintenance of CWP infrastructure and patching of infrastructure security issues are managed on your behalf with advisory emails sent to keep you up to date. Notices are also published to the CWP Updates page for logged in visitors.
Similar announcements will keep you up to date for major incidents relating to the SilverStripe CMS. For non-major incidents, unless a vulnerability is known to be exposed, information won’t be published until a fix is available to use. When it is, details can be found in the change log that the security release is available in. It’s there that the CVSS score will better help you assess the importance of the release in relation to your site.
Communicating known issues
Aside from security issues, given the wide range of modules and features that can be provided through the SilverStripe CMS, there’s the chance that bugs in the commercially supported modules could be uncovered after a new CWP version has been released.
To better inform agencies as they look to take advantage of a new release, we’ll be increasing the visibility of known issues with a new section in the CWP change logs.
Here we will provide information on high or critical impact bugs with supported modules that are known to be widespread across CWP and may impact upgrade decisions. This information will be posted on the CWP version specific change log for future releases (i.e CWP version 2.3).
As usual, if you are experiencing issues with your site, contact your digital agency or the CWP Service Desk, who may refer you to these known issues and information for staying up to date. You can also search all existing issues captured on GitHub through the SilverStripe bug tracker(external link).
To read further on keeping your site up-to-date on CWP, see the site maintenance section on the CWP website.