Radio Liferay Episode 49: Tomáš Polešovský from Liferay's Security Team

  It's been a long time and finally... Radio Liferay is back with several episodes in the queue. Today, Tomáš Polešovský starts of by talking about Liferay's security team and -procedures as well as his work within that team. Tom has already been a guest on Radio Liferay's ancient episode 9

Here are some of the topics that we talked about:

  • The glorious glamorous days one has on the security team (consisting mostly of email, tickets, pullrequests)
    • Different ways to make Liferay more secure
    • Gathering feedback from community and customers
    • Monitoring Liferay Forums and full disclosure mailing lists (also about the various libraries that are used in Liferay)
    • Scan source code for problems
  • Liferay cooperates with external security researchers for penetration testing
  • Customers perform external audits as well.
  • An example of an actual audit report: 49 very alarming false positives vs. 1 real cornercase
  • The security issue fixing process
  • The first security episode with Sam Kong
  • Link to community security update page. CE updates always only against the latest GA version
  • Some low hanging fruits in secure Liferay administration (on the fly)
    • Disable "create new accounts" if you don't want random users to create new accounts (e.g. in an intranet)
    • JSONWS access
    • Disable Control Panel, add "My Account" to user's personal pages instead
    • The securing Liferay series and "additional Resources" here
  • What will happen with Liferay 7?
  • OAuth, and the related Radio Liferay episode 44 with Stian
  • SQRL (disclaimer: I misled Tom by mispronouncing this library - he's aware, but there's no implementation - yet - for Liferay)

Follow @RadioLiferay, @topolik (Tom) and @olafk (me) on twitter.

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory. If you like this, make sure to write a review for the podcast directory of your choice - or leave your feedback on

Or just download the MP3 here:

download audio file