As part of our efforts to help the Japanese open-source community write more secure software, we recently reached out to the creator of the baserCMS open-source project, Ryuji Egashira, who has started using VAddy together with TravisCI to continually scan for vulnerabilities (several of which were patched in August with the 4.0.6 release of baserCMS). Egashira is currently the chairman of the Baser Foundation, a nonprofit organization supporting the community of baserCMS users and developers.
We met up with Ryuji Egashira at Catchup, Inc., where he serves as Representative Director, to ask him to tell us more about baserCMS and his experiences using VAddy.
baserCMS is an open-source content management system (CMS) developed in Japan to help Japanese companies build their own websites. Because this CMS was built up to serve the needs of real-world projects, it includes the minimal basic functionality required to build a company’s website. It is highly customizable and makes it possible for anyone to update a site with a bit of training—even if they do not have much experience working with computers.
I originally released baserCMS as a personal project in December 2009. Five years later, in 2014, I established the Baser Foundation as a nonprofit organization to provide support for baserCMS and reassure users that they could continue to rely on it. The baserCMS user group is now in charge of the project’s development.
Until relatively recently, security didn’t seem to get much attention in the world of open-source software (OSS). After all, some would say, you only get what you pay for. Even so, in recent years several high-profile security incidents caused by OSS vulnerabilities have made OSS users more aware of security-related issues. For example, when we recently disclosed a vulnerability in baserCMS the news was widely shared through social media; similarly, more of our customers have begun asking us how much more or less secure baserCMS is than other content management systems.
For the most part, the security of open-source software is wholly dependent on the skills of the individual members of the development team. When was the last time you heard that a security engineer had comprehensively examined an OSS project’s code—or that external security audits were conducted with each release? The baserCMS team conducts code reviews prior to every release, but there’s always something that slips through the cracks. I’d hazard a guess that this problem affects many open-source projects and is not unique to CMSs. Of course, even that may not necessarily be true because in the long term many OSS projects end up being maintained by a company.
We use baserCMS in real-world projects at Catchup, Inc., where I serve as Representative Director. Some of our customers scan for vulnerabilities on their own, reporting any that they find to the baserCMS development team. We also work together with the Information-Technology Promotion Agency of Japan (IPA) and the Japan Vulnerability Notes to responsibly disclose any problems with baserCMS that come to our attention.
In the past we’ve used vulnerability scanners to test the areas of a website that are exposed to the public Internet, but we could not always run the same scans on private administrator pages because some automated scanning tools could not access password-protected pages. At first we didn’t consider this to be a problem for baserCMS because it is mainly used by a company’s employees, whom we should be able to trust, but over time we received several reports of vulnerabilities in administrator pages through the IPA.
Until now, our approach to security could best be described as reactive rather than proactive. Part of the reason for this is the fact that baserCMS is only being provided to customers in Japan, making it a less attractive target for attackers than more well-known CMS tools that are used around the world.
As part of their efforts to improve the security of open-source software, the VAddy team allowed us to use one of their premium plans free of charge. We immediately scanned a standard installation of baserCMS and were quite surprised when it reported that it had found a handful of vulnerabilities! Our surprise underlines VAddy’s effectiveness at finding vulnerabilities. We fixed these flaws in version 4.0.6 of baserCMS, which we released in August, and are encouraging users to upgrade to this latest version.
(Editor’s note: As of October 20, the latest version of baserCMS is 4.0.7.)
Earlier I stated that our approach to security could best be described as reactive; now we are able to proactively scan for vulnerabilities with VAddy. Even for open-source software, we think that security is both an advantage and an obligation of the software’s maintainers.
Going forward, we plan to use VAddy to scan all new features we add to baserCMS, ensuring that no vulnerabilities are found before they are released. We would like baserCMS to be known as an OSS project with a commitment to security, which will hopefully reassure both new and existing users that this is a CMS they can trust.
Though I have mainly been speaking in my capacity as the chairman of the nonprofit Baser Foundation here, I would also like to make a case for using VAddy in my role as Representative Director of Catchup, Inc. In practice, businesses that use baserCMS have a software stack with both open-source and proprietary components. Even when the security of the open-source component has been thoroughly vetted, vulnerabilities may be introduced into the closed-source component. If VAddy can help with the former, it should also be able to help with the latter.
Established in April, 2014
Chairman: Ryuji Egashira