Meet the Team: Joomla Security Strike Team
One of the teams that people don’t hear a lot about, except in release notes, is the Joomla Security Strike Team. Or sometimes called JSST in short. And it is time we share a little bit of insight into what kind of issues this team actually works on. And who is in this team anyway?
What is the team’s main goal?
That’s simple: Making the CMS as secure as possible! That’s a simple goal but includes numerous tasks:
- we review and triage reports
- we develop patches for valid issues
- we do code reviews of new features before they are merged to the core
- we are monitoring and securing the Joomla.org infrastructure
What is your place in Joomla’s ecosphere?
I guess we are more a “behind the scenes”-team. If everything goes well, we are barely visible to the outside world and especially end users should barely need to pay attention to our work - besides applying security updates in a timely manner of course!
However, we want to make parts of our work more visible in the near future, i.e. by publishing our internal pull requests including the comment stream after a release, to make our processes more transparent and move away from being a big black box towards the community.
What roles do you have within the team?
Well, we have the required roles of Team Lead and Assistant Team Lead, we have a liaison with the VEL team and we also have the current Release Leads in the team, helping with the actual release process.
Team members: introduce yourself please :)
David Jardin: My name is David, I’m 32 years old, I live in Germany and I've been involved in Joomla since the Mambo days. I've been a JSST member since 2014 and am the current Team lead.
Tobias Zulauf: My name is Tobias, I’m from Germany and have been involved in Joomla since 2011 in different roles. Since 2017 I've been a member of the JSST and serve as the current assistant team lead.
Richard Fath: I was asked to join the team in January 2021 because of my skills related to database and other technologies. I help with reviewing and testing security patches.
Harald Leithner: Like many other Joomla contributors I started Joomla with Mambo. But for a long time only as a user. A couple of years ago I went to a JoomlaDay and joined the community. After this event, I got involved in the core really quickly by joining the JSST and later becoming release lead for 3.9.3+ and Production Department Coordinator.
Niels Braczek: I joined JSST in January 2021 as the maintainer of the Joomla Framework.
How often do you have meetings, and how do they take place?
We have a bi-weekly informal meeting Monday. Those are video calls where we discuss new reports, current tasks and upcoming releases.
On top of that, we do “formal” meetings from time to time, mainly for election purposes but also discuss matters that affect the whole team.
What tools do you use to work together?
Our primary tool for outside communication is a ticket system based upon Zammad, a great open source software. For internal communication, we are using a Ringcentral channel and of course a private GitHub repository for issue-related communication and the development of patches.
If you had three words to describe the atmosphere within the team, what would those words be?
David: constructive, exciting, challenging
Tobias: focused, collaborating, process-oriented
Richard: Collaborative, professional, focused
Harald: Most Important Team
Niels: professional, competent, serious
How did the team develop over the last year(s)?
The team is a very constant one. Neither the team members nor our tasks did change much during the last couple of years.
What difficulties do you face, and how do you (plan to) overcome them?
The main issue is that we have to keep the team as small as possible because we are handling very sensitive information about undisclosed vulnerabilities - but at the same time, we need a big team of people with different skill sets to handle reports, triage them and especially create and test internal patches.
That’s a fundamental contradiction, however we try to at least partly solve the issue by including external experts for specific issues.
Do you also work with people outside of the Joomla Community?
Yes, that’s a very important part of our work. Most vulnerability reports are made by security researchers without any Joomla background, so that’s daily business. On top of that, we work together with security teams from other CMS, with web hosts, security software vendors, MITRE for CVE IDs, other CNA’s and industry leaders like Google. In the web security world we all face very similar challenges, so it’s an obvious thing to cooperate where possible.
What was the security issue that made the biggest impression?
In december 2015 a zero-day remote code execution vulnerability was exploited to gain control over Joomla sites. That vulnerability was a very special one because it was a true zero-day issue, so we didn’t get an upfront report by a researcher but could only see sites being hacked “in the wild”.
The actual attack vector was related to an underlying PHP bug and the actual execution in Joomla required using an edge-case behavior in MySQL and misusing code of another 3rd party library - so it was a very complex and kind of beautiful attack payload.
Do you need extra volunteers, and if so, in what capacities?
Definitely yes! We are looking for volunteers with a web security and/or development background who have a solid involvement in the Joomla community.