We caught up with Wordpress Security Team Lead Aaron Campbell at DrupalCon Nashville to learn about the Open Web Lounge, what's happening with Wordpress Security, and how these communities get along.
Episode Guests
Aaron Campbell
Aaron has over sixteen years of web development experience. He has been a regular contributor to WordPress for the last eight years, and even co-lead the WordPress 3.6 release.
Transcript
Transcript
- Chris:
- On this episode I'm going behind the screens at DrupalCon Nashville with Aaron Campbell, the WordPress Security Team Lead. Welcome to DrupalCon.
- Aaron:
- Thank you.
- Chris:
- So give us a little introduction, and tell us about what you're working on their at WordPress.
- Aaron:
- So I'm the WordPress Security Team Lead. I am sponsored by GoDaddy to work full time on the WordPress open source project, sort of leading the security team is what I do with that at the moment.
- Chris:
- So we'll talk a little bit about what you're doing here at DrupalCon in second. So tell me a little bit more about what the security team is working on with WordPress? And as for my background, I familiar with Drupal, I know a little bit about WordPress, and I imagine that this is primarily a Drupal Based podcast and most of our listeners are there too, so educate us a little bit on how the security team works with WordPress, and how that systems works.
- Aaron:
- It's not especially dissimilar to the Drupal security team. We have a group of us that handle everything from triage to fixing, and ultimately releasing the whole process of security, but it's not just on WordPress core, we also cover all of our other projects, BuddyPress and bbPress, WP-CLI, and all of our online properties. So all of our wordpress.org sites and WordPress camp.org sites, and we sort of process that starting with reporting through HackerOne and pushing it all the way through to release.
- Chris:
- So does that touch any of the WordPress plugins at all or is it more set like WordPress centralized?
- Aaron:
- It's WordPress centralized right now. We work closely with a lot of the larger plugins to assist in security when it's useful. When having that sort of open line of communication can be helpful to them, or to us. Sometimes we help leverage, we leverage some of their talents to help us out. But we don't official cover any WordPress plugins, except I guess the themes that are packaged with WordPress core, the couple plugins that are packaged with WordPress core, those would be covered by our team.
- Chris:
- Is there anything in particular, I guess I would phrase this, any particular challenges or major obstacles that you've had to overcome recently in respect to managing security for something for such a wide ecosystem?
- Aaron:
- Yeah, I mean there're several big challenges that we've sort of had to face and overcome over the last year or so. Some of that has been developing better relationships with host, Wafts and CDNs and those kinds of things as we've come across some issues that could be protected against at the network layer. This was a thing that we hadn't especially dealt with or done, before so a security team sort of having to reach out and build relationships in order to be able to be better at what we do, that's been a little bit new and different.
- Aaron:
- And within the last year we launched our Bug Bounty program, where we pay people to report security issues, responsibly and to work with us to fix them. And so that's been a really big thing that we've had to figure out as we go as well. The scale of WordPress that you were mentioning makes it a little bit harder dealing with the number of reports that come through.
- Chris:
- How has that Bug Bounty program been working for you? Have you gotten a lot of success out of it? I know you said you're still growing through it, and there's still some challenges to work out, but overall how would you evaluate that?
- Aaron:
- Yeah, so at this point I would say that overall it's been very good. It was a big struggle, especially at the beginning. We got flooded with a number of reports that we ... A level of reports that we didn't really expect. And we got flooded with a lot of invalid reports. A lot of people that maybe didn't understand sort of the more inner workings of WordPress, and they thought they saw a vulnerability, but it wasn't, and so it was a real struggle at first, and we worked through some of those kinks and used some additional tools to sort out some of the signal from the noise. But now I feel likes its been very good. It has helped us find and fix issues that we may not have otherwise noticed and to me that's a success.
- Chris:
- Absolutely. So you're here at DrupalCon, what is it that you're doing here, and what do you hope to gain about participating in the conference.
- Aaron:
- So I guess what am I doing here. I guess there's a couple things, I was speaking here, not on security on introversion and how to be successful as an introvert. A thing that I'm particularly passionate about, but I'm also spending quite a bit of time at this open web lounge that brings together people from different open source projects to talk about subjects that affect all of us.
- Chris:
- So is this your first DrupalCon or first DrupalCon event?
- Aaron:
- It is my DrupalCon, yeah, and it's been fantastic, its been a lot fun.
- Chris:
- Yeah the energy is always so high at these. I gave a presentation about something similar that it sounds like your topic about how to deal with the introvert, but having such an amazing energetic conference like everything going on. How has your reception been about between DrupalCon and WordPress?
- Aaron:
- Both are pretty open accepting communities. This is a thing that I didn't necessarily know that about the Drupal community until I came here and sort of experienced it. But it's been fantastic. I think that there's something to that sort of open source mentality, if you will, that makes these communities particularly accepting, and I was a little worried about standing up in front of a bunch of people on stage, and saying, "Hi I'm at your Drupal event, I'm a WordPress person," but it went over fantastically, no issues at all. Everybody has been super welcoming.
- Chris:
- That's awesome you got to love to hear something like that it can feel sort of like your walking into enemy territory at times. I feel like there's more that we can learn from each other than competing against each other for.
- Aaron:
- Absolutely. The projects, the communities that surround them, we face a lot of the same issues. We're trying to solve a lot of the same things. Our security team is doing things that are very similar to what the Drupal security team are doing, and so we're trying to work closer together, so that we don't both have to invent the wheel if you will, we can invent it together and both use it. I was part of a discussion, just a little bit ago, about diversity and inclusion. Things that both communities are tying to sort of get a better handle on and do better at, and if we work together at them its much better. We can find more potential solutions together than we could on our own.
- Chris:
- Absolutely. So this booth that we're in, this is the Open Web-
- Aaron:
- Lounge.
- Chris:
- ... Lounge. It's new to DrupalCon this year. Have you had a lot of participation coming through here? A lot of people stopping by?
- Aaron:
- Yeah, it seems like it. There's been some scheduled talks, we've scheduled like three talks a day that we all sit on the couch, and talk about a specific topic. But even outside of that it seems like people have just been stopping by asking what it's about, and when they find out that it's multiple open source projects all seeing how we can work together its sparked up all kinds of interesting topics between people, and it's been fantastic.
- Chris:
- That's amazing. I like to take things and kind of turn them around a little bit, but first I like to ask you for one piece of advice that could be anything for somebody who maybe is deciding between WordPress or Drupal, but that seems like its too easy of a question. I want to get a little deeper. Do you have anything that you've gone through recently or something that you've found that you might want to share with somebody? A piece of advice? It could be something security related social media, maybe your either not looking for, or something that maybe the Drupal community can learn from the WordPress community? What could you bring over?
- Aaron:
- Wow that's an awful wide selection of options for me to choose from. Security-wise I feel that the Drupal audience is kind of a little bit more like ... A little bit heavier on the technical side, a little bit more seasoned developers and that kind of stuff. And I've found, in a lot of conversations here, just like I fund with conversations with people in the WordPress community, that are the seasoned developers that we start to get so tied up in the super technical difficult parts around security that we sort of ignore some of the super basics. We sort of let ourselves forget things like making sure that everything is up-to-date, and simple things like updating our passwords regularly, or not repeating passwords. We start to fall into a lull, where you're just not thinking about it anymore, and so the biggest thing I try to remind myself to do is to remind people stop and think about the basics for a minute and just verify that you're still doing them. So I guess that would be my little tip for advice.
- Chris:
- That's a great one. I think we're all guilty of that from time to time, like using the simple password just because it's easy for now, or Drupal updates we'll get to those later, or the WordPress updates we'll get to those later. So if you woke up tomorrow and the Internet was gone, no more websites to maintain security for, or to look out for, what would you do with your time?
- Aaron:
- I mean I got all kinds of things that I would love to do with my time, I'm not sure how I would turn any of them into a way of supporting myself, without the Internet, but I'm an avid dirt bike rider. I live out in the middle of nowhere, Oklahoma, and have a motocross track on my property, along with a bunch of trails. If I spent less time on the Internet I'd probably spend even more time out there doing that with my son, he's 14 and rides with me as well. So I would probably turn to spending a lot more of my free time doing those kinds of fund things.
- Chris:
- Oh that's a lot of fun. Another unique answer, I get so many great unique answers to that question it makes this job really fun.
- Aaron:
- That's awesome.
- Chris:
- And so finally to wrap it all up, is there anybody you'd want to say thank you to or share some gratitude with, helped you along the way, gave you a push, maybe a good presentation or something?
- Aaron:
- Yeah, first of all the one that's right on the top of my mind is just this whole group here at the conference has been super inviting as a first time person. It's been a while since I've been to such a big tech event where I was really a first timer there, and had no idea what it was like, so that's been fantasist. Looking back through kind of what kicked me off in my career and got me going down the path that I'm on, I'd give a quick shout out to Mark Jaquith, who's a big part of the WordPress community. Back when I first got started, he was the one who helped me sort of shepherd my first patch into WordPress core. And it was sort of that first taste of contributing back to open source, and he helped me do it, and I was like hooked after that, so I think that a quick shout out to him for helping me get into it.
- Chris:
- Excellent, and thank you so much for taking a few minutes, its been wonderful.
- Aaron:
- Absolutely, thank you.