The end of 2021 and the beginning of 2022 saw some big security vulnerabilities in the open-source space, including log4j – something that prompted people all over the world to consider: what should we do about open-source software, contributors, and general security?
One solution is to entice developers to find and patch bugs through bug bounty programs – something that today’s guest, Robert Rowley is very familiar with. It’s something his employer, Patchstack, runs on a global scale! They also maintain a database of vulnerabilities to help with the bug bounty program, as well as keep site owners informed; and now Plesk customers get Patchstack integration included in the WP Toolkit.
In this Episode: Bug Bounties, Risky Passwords, & Site Patching
WordPress accounts for over 40% of the web, so security is a big, important topic for site owners. Luckily, both Plesk and Patchstack are dedicated to keeping WordPress sites safe! In this episode, Robert tells us about Patchstack’s global bug bounty program to help fund developers keeping open-source software safe.
We also discuss how security ownership is a team effort, from the site owner to the hosting company. Vulnerabilities can happen at any level, so all stakeholders need to be vigilant.
Finally, we talk a bit about risk analysis, how to stay on top of patches and vulnerabilities, and what the future of site security looks like. Let’s have a listen!
- Bug Bounty Programs are a way for developers to get paid for finding and patching bugs. They are especially important for big, open-source projects like WordPress.
- Patchstack runs a global bug bounty program where they guide and pay developers to find and patch bugs.
- Patchstack also maintains a patch and vulnerability database, which they use to notify site owners of patches to keep their sites safe. And now, Plesk’s WP Toolkit integrates directly with Patchstack – meaning customers will automatically get these notifications.
- Site security is a team effort. It’s easy to assume it’s “someone else’s” problem, but the truth is everything from a poor server environment to a weak password can put a site at risk.
- 2-Factor Authentication is an easy way to improve security, even if weak passwords do exist.
- It’s important to patch vulnerabilities as soon as one is available. If there is no patch, it’s important to do risk analysis. If there’s some other protection (passwords or firewalls), you probably have some time. If not, you may need to change products.
- A lot has changed over the last 20 years in site security, and the current environment favors site owners. However, things can always change.
- More utilities give site owners the power to make moves and keep their sites secure.
- In the future, Web3 and blockchain tech could be used to help secure sites because they are basically public ledgers. The experimentation now will make way for more practical applications.
The Official Plesk Podcast: Next Level Ops Featuring
Joe is a college-accredited course developer and podcast coach. You can find him at Casabona.org.
Robert Rowley is a Security Advocate at Patchstack, and has been working in the security field since 2008. He is a long-time supporter of open-source software.
Did you know we’re also on Spotify and Apple Podcasts? In fact, you can find us pretty much anywhere you get your daily dose of podcasts. As always, remember to update your daily podcast playlist with Next Level Ops. We publish on the second Tuesday of every month so stay on the lookout for our next episode!