Lessons Learned by the WordPress Security Team

Explore key insights from the WordPress Security Team's experiences in this 52-minute conference talk delivered at BSidesLV 2018. Delve into the challenges and strategies of maintaining security for open-source software, with a focus on WordPress's journey. Learn about the evolution of security practices, including the shift towards automatic updates and the complexities of user education. Discover the team's approach to assessing needs, building relationships, and implementing effective tools. Gain valuable knowledge on code review processes, bug bounty programs, and incident response techniques. Understand the delicate balance between security measures and feature development, and uncover important warning signals for potential vulnerabilities. Walk away with practical lessons learned from one of the most widely-used content management systems in the world.

Introduction
Who remembers this game
Open Source
Security Shift
Secrecy
Secure Versions
Automatic Updates
Does it help keep users secure
Securing users was complex
Educating users is difficult
History lesson of WordPress
Growth of WordPress
Assessing Needs
Is it Possible
Benefits to Volunteers
How do we make this work
Our tools
Tools dont fix our problems
Building relationships
QA
Lost Gentleman
Target on our Back
Code Review
Friction with Feature Development
Bug Bounty
Warning Signals
Incident Response
Lessons Learned