Hi,

in the last days a few security bulletins where published. I didn't wrote about them but because we have more reports about such things than in the past I think it's time to think about it. I mean, no software is perfect and we can be lucky that no security hole was found in TYPO3 itself so far. Maybe this is because TYPO3 is save or the people just don't look accurate enough. Anyway, 99% of the security alarms concern third party extensions yet.

The question for me is now, how many bombs sleep inside the TER? I think there are a lot.

The TYPO3 community very big and we have a lot of extensions. Every day new versions and complete new extension are uploaded to the TER. It's impossible for the security team to check them all. Anyway, I guess that only a small part can and should be used due to various reasons currently.

How can we separate the important extensions from the unimportant ones. The extensions that are really used and that which are not used. One possible method is the download counter and I believe that the most popular extension are already reviewed for security.

Another approach could be a general review. A big step forward to get knowledge about the existing extension was the start of the extension comparison team. They check a group of extensions every three months and publish the results in the T3N Magazin. They don't check for security issues but for usability. But that can be used as base information for decreasing the number of potential extension that have to be reviewed by the security team. Or maybe the team-leader should think a corporation. Every time the comparison team checks a group of extensions, they can be also checked for security by the security team.

Just my 2 cents,

Thomas