Gallery Security and Gotham Digital Science

Vulnerabilities in web applications (like Gallery) are increasingly a sweet spot for attackers. We are very aware of this, and take the security of the Gallery project very seriously. In addition to our internal guidelines, processes and audits, we’ve had external security experts perform security audits of our code for the last several releases of Gallery 2.

Recently, we retained Gotham Digital Science (GDS) to perform security audits on Gallery 1 and 2. They are experts in application security, as it's basically all they do. The relationship we have built with GDS has proven valuable based on the results of the audits and we are looking forward to partnering with them on audits of future versions of Gallery. Please read on!

We recognize that hiring external consultants to perform security audits does not guarantee that our code is bug-free and by no means un-hackable, but it clearly indicates our willingness to perform due diligence to make sure our code is reasonably secure. The combination of an external perspective of security experts and the insight of internal experts both performing detailed audits is yielding much better results than only one of the two perspectives alone.

External security audits perfectly complement and improve our internal measures to produce secure software. The audits not only help identifying specific security issues, but it’s an independent review of our internal measures as well, exposing general strengths and weaknesses in the development process. We learn what works well, what needs to be improved and can adjust our internal measures accordingly.

Like any other software, Gallery has bugs and some of those bugs may affect security. While we cannot guarantee that future versions of Gallery or completely bug-free, external audits and our constantly improving internal measures contribute a great deal to make the next Gallery release always the most secure one ever.

Gotham Digital Science did a great job on their audits of portions of the Gallery 1 and 2 code bases and the dialog between their experts and our developers proved to be very fruitful for security enhancements in Gallery 1 and 2. We plan to continue working with them to help secure future versions of Gallery. Check out their blog, and remember, your donations help pay for things like this!

thanks for the continued effort to deliver quality software!

as a user of gallery 1 I'm wondering how much of the GDS attention is directed towards the 1.5.x and 1.6(alpha/beta) releases. a rough indication would be appreciated, thanks.

as we are approaching the 1st anniversary of Gallery 1.6 focus week (Week of Gallery 1.6), I'd appreciate an official statement about current release plans for Gallery 1.6.

thank you,
-- Peter
[img]http://www.schumacher.ch/logob.jpg[/img]

ckdake's picture

A thorough review of Gallery 1 was performed. We are applying all of the security fixes to the 1.6 codebase, and backporting the majority of the issues to the 1.5 codebase as well. Expect an RC of 1.6 sometime in the future, as well as a 1.5.x security update.
____
http://ckdake.com/ - If you found my help useful, please consider donating to Gallery.

And with the future, do you mean a week, month or longer?

Geld Lenen

ckdake's picture

Whenever it's ready. We only have 1 developer working on G1 (and he has the usual life/job/etc requirements), and given that we require code reviews for all code, having people unfamiliar with G1 doing the reviews slows down that process a bit. We'll get it out as soon as we can do so!

____
http://ckdake.com/ - If you found my help useful, please consider donating to Gallery.