It’s Saturday 11.55 we are on in 5 minutes, and I’m alone in a basement in a university with mine, and my talk partners laptop a table and a pair of chairs. In front of me is a door to the lecture theatre, I have no idea if the door is locked.
Applause, the previous speaker has finished and well I guess it’s time to find out if the door opens!
Welcome to the tale of how we put together WordPress is not a security dumpster fire, fight us!
10 minutes earlier, and myself and Glenn my talk partner were in the green room, rehearsing the talk, this was the second time that we had done timed runs, the first was the day before and it was 27 minutes a good 18 minutes short of our 45 minute goal. It was about this point we realised that we needed a table and chairs, not a problem we are literally in a university there are plenty of tables and chairs so we borrowed the table. We chose the table not for aesthetics as much as it had wheels.
Now how do we get it, down the rather large amount of stairs to the lecture theatre, we could carry it, or we could try to put it in the lift, but where exactly did the lift go? Only one way to find out right?
Two hours earlier, myself and Glenn had snuck outside of the main event to sit in the sunshine, its about 9.45 in the morning and I was showing Glenn the slide deck that the audience would see for the first time. He had seen variations previously but this was the first time it was complete.
How to write a talk
Writing a talk is a bit of a process you come up with ideas and concepts, start to hammer out what you want to cover, formulate some slides. Let the thing sit and settle and over time refine.
The process is more or less the same for two people, in our case myself and Glenn are politely put seasoned speakers, we also know each other very well, while it been a few years since we worked together we are good friends.
Writing this talk would be a doddle…
[NARRATOR/ voice of keith] – it was not a doddle
We started with a simple CFP a CFP call for papers is basically tell us about your talk, along with some other bits, here is (slightly edited) the CFP we submitted to Steelcon, minus bios
Title *Defend the indefensible – “WordPress isn’t a security dumpster fire, Fight Me!”
Abstract *
Tim believes that common wisdom is wrong and WordPress CAN form part of a Secure Enterprise ecosystem, Glenn, on the other hand, likes to sleep at night.
By taking on the role of attacker and defender, Glenn and Tim will walk you through an escalating series of Attack vs Defence scenarios with real-world examples; Tim will attempt to convince you that for most reasonable threat models, WordPress can easily defeat a skilled and determined attacker and Glenn will attempt to prove him wrong.
The talk aims to give something to both Red Team and Blue Team, covering some common (and not so common) techniques to both compromise and harden WordPress. Failing that, come watch two middle-aged blokes bicker about whether WordPress deserves its place as an industry joke, or is unfairly maligned because of misuse and unnecessary risk-taking.
Extra info for usWe’re aware cons are not generally in favour of multi-speaker talks, but Tim and Glenn used to work this good-cop bad cop schtick many years ago when they worked together, so it’s not one of those weirdly disjointed talks where each person reads a paragraph each. Two mics would be super handy though.
RatingPG (The subject matter is WordPress, so some parents should think carefully if they want their children coming)
SteelCon CFP entry
I think it’s safe to say we are setting the tone, as light-hearted we hope we know our audience and know how to attract attention. Keep in mind we had no actual idea of how this talk was going to take shape we basically are working on Good cop, bad cop style argument.
Like good speakers, we looked at our takeaways the things we wanted people to leave thinking about and exploring our actual takeaways were:
WordPress is a CMS which you give users access to and expose to the web, guess what that’s a terrible thing to do. But so is almost EVERY single CMS you have ever come across you just see a lot more WordPress sites. Not only that, if you don’t want to go there are options WP really static, or REST API and Gatsby/static site generator.
Just because you are an Enterprise, and WordPress is seen as a hobbyist tool, doesn’t mean you treat it any differently.We protect WordPress like anything else, threat model and mitigate or reduce risk
Supply Chain Risk Assessment, you may trust core to auto-update but how much do you trust 3rd party plugin/theme devs to have control over the code. Code Review, Risk Assess, Sandbox, Gate to Live, Supply Chain Analysis, SAST/DAST etc
Again that’s a dump our of our internal notes, so if you don’t recognise some phrases don’t panic.
So with takeaways, some ideas for demos sorted, we start thinking about slide decks. Then life gets in the way.
Turns out actually getting on a call, proved near impossible, in fact, it wasn’t until the Sunday before SteelCon did we actually meet up, in that time a semi-complete slide deck mainly consisting of one word broad ideas were floating around.
Sunday, we build out an ok deck, over several hours, but its clear something is missing.
We are also now on our 3rd coffee shop…
Both of us have glanced at our phones, our respective other halves have both asked, when are you coming home?
We need a narrator.
The sticking point, in our current deck, is the lack of good segways between sections, with the confrontational style it was to easy to get into a rut and not be able to move particularly easily to the next section.
What we need is the narrator.
More like a play…
A meeting…
GARY!
From we need a way to move sections came Gary, all of a sudden everything has changed, we are no longer simply standing on stage taking turns saying WordPress is ok, WordPress is bad instead we are in a meeting with “Gary” initially it was Gary Jones, but as I know a very talented WordPress Dev called Gary Jones, this was later swapped for Gary Smith.
Gary from Marketing
A foil for both of us, he would ask questions and lead the conversation, bringing us back on track. Brilliant.
Except it’s Sunday, literally the next chance either of us will get to work on this is Thursday and we didn’t have a third person.
Well Gary would just have to Skype in.
Suddenly our opening scene seemed easy enough the sound of Skype, we could then have someone record audio.
Now sitting outside we scrambled to get some words together and find someone to record them. The idea, myself and Glenn would get the demos ready and off we go!
The voice of Gary
This was actually the easiest bit, thankfully my friend and colleague Keith (aka Mr Badger) happily agreed to be the voice. Keith when not a WordPress specialist or amateur ham radio operator is a voice over artist and DJ. Gary is recorded with no drama.
Only real issue, Gary is now fixed, and with hindsight, we needed more Gary in our lives.
Getting the demos together
We significantly pared back the demos, initially, we had both of us throwing demo after demo at each other but for Gary, we only needed a few:
- A demo of roles and capabilities
- Reslider Demo
- A one-line take over
Doing the one-line take over was not hard, I had done a similar demo a few years before so quickly redid it, along with recording the roles and capability demo with WP-CLI.
The goal was more to show off WP-CLI then to show a specific attack vector.
Which left RevSlider, the Daddy of WordPress hacks, we had a week, could either of us, both security professionals and me with let’s face it a lot of WordPress sites to work from find an exploitable copy of revslider. Nope.
Which is a shame, as we wanted to show live, the WordPress Exploit Framework in action, so we had to use an older video by WordFence with a lot of credit, it made for an amusing moment as Glenn would have to admit where the video came from.
The tree of knowledge
One of the things we wanted to get over was WordPress is a massive project, with more Javascript then PHP these days, when you include all the libraries to this end we thought about doing a dependency diagram that would expand out. Time constraints limited this, not least because of how hard it would be to document, I do still have an idea for how we could do so.
If anyone was at Steelcon workshops on Friday, they would have seen me and Glenn in the corner, with pieces of paper, some of which would come on stage the next day.
Want to know a secret?
We had two slide decks, if you watch the video you will see a laptop in front of us, this wasn’t the visuals that folks saw up on the screen, this was a colour coded deck
Red/Blue/Yellow for Glenn, me and Gary. That deck was finished by Friday afternoon, the visual deck done on Saturday.
On with the show…
So I push on the door, oh thank you it’s open, in I come pushing a table and a pair of chairs. We hook up my laptop to the main projector, and at this point, we are sort of praying the audio will work.
I’m controlling the main slides, Glenn, on the other hand, is controlling our real deck.
British Sign Language interpreters come and introduce themselves, you know that moment, when you realise you just done a ton of work on a website, then you do an accessibility audit. The moment where you feel a little embarrassed for how bad it is?
We at no point had thought about what if someone was deaf in the audience, a frantic chat and brief explanation of what was going to happen with the interpreters and well we are ready.
The skype noise booms out, and we are off.
We had realised we had two potential issues with our meeting setup, it did not suit monologues and well we didn’t have enough Gary. At some point, we would have to recognise the audience was there.
So we did it early, when we were stood up it meant we were talking to the audience sat down, to ourselves and Gary.
The jokes came, so did the content, it was probably a bit too confrontational and some of the actionable points were lost but it was a lot of fun.
We kept it PG too, until the questions… I really hate Pipdig
So how do you do a talk?
Not like us, but actually, I took a lot away from the Steelcon amateur dramatic society.
What worked, I really liked Gary acting as segways, with a little more practice and half a dozen more Gary segments and it would have worked so much better, indeed I was generally pleased with the Gary deck.
The joking style came across very natural, the table prop worked well as a distinguishing between the talking to the audience vs the play.
The meeting sort of worked, as did the to audience aspects, the ability to shift from narrative to a more traditional talk worked in practice and gave a glimpse on how it could work well in future.
What didn’t work was the talking points, while we had the second deck, we didn’t take the opportunity to flush it out with more notes.
We also didn’t have a clear idea of what each of us was going to say in each section, as we were improvising in part to bring out the “drama” consequently we missed some key points, key points that were actually on the slides :(
But the thing that I think let it down was we didn’t get the balance right, between Gary and the audience and our own bickering. It was always going to be a fine line, and with Gary limited number of lines he sort of vanished. Glenn had to keep reminding folks Gary was there (or not there).
The talk didn’t bomb but it didn’t hit the right note, we tried something different and it didn’t utterly fail which is a win.
This was the right conference to do it at, this was the right crowd. I’m not sure this particular talk will be done again, but I have taken loads away from how we did it that will be going into my own talks.
Audio/Sound – tricky beasts and one I have avoided on the whole, though I have played with sounds in presentation its always been augment something rather than an integral piece. I’ve often wondered if using music or other audio could be used sympathetically with a talk and now much more emboldened to go down this route.
Props, I really liked the table, I think it worked really well, I wish we had more than 15 minutes to grab more paper, do more diagrams, but that idea came just too late in the day.
But the key thing for me was to reinforce that a good presentation, beyond takeaways, should have a narrative and that’s something I want in my next few talk ideas to concentrate on getting the narrative right. It doesn’t have to be a play every time, but if the narrative is done right it will make an anchor for the entire talk.
The audience applause, we made the BSL interpreter life hard, the video team have to somehow edit this, and we are into questions. Really we only get a single question and to be honest, it was a perfect question they could have been a plant. Wait were they a plant?
Pipdig, a whole narrative in itself and we were off again.
The talk is over, we have a table and a pair of chairs, to somehow to get through a crowded lunch filled hall.
A big thanks to Keith once more for being the voice of Gary.
Glenn and myself took a risk, and it didn’t totally pay off but I’m still proud of the result, it will define a lot of how my talks look in future as I dissect and take things away. So anyway here is the video, don’t judge us too harshly!