Introducing “CPG-CS” Certified Secure™ Program

Look for our new logo/slogan on Blocks, Modules, Themes and Add-ons for the upcoming release of CPG-Nuke 9.0 - Dragonfly™

Developers and Users can submit their programs to CPG-CS to verify if their programs are Certified Secure™. Select CPG-Nuke Staff Members will review the code for security vulnerabilities.

The program will either be certified or recommendations given for required fixes to the code. The standard charge will be $0.001 a byte of php/html, more or less depending on the complexity of the module. You will receive two free follow-up reviews. For an additional fee our expert programmers will modify the code for you.

Make sure your add-ons are as safe as the portal you run them in, contact us for info today.

Akamu & DJ Maze

First thing I'd like to say is that I think it's a great idea.

2nd thing is that I do see it being a problem.

I noted that your survey asked the question about the new CPG version license arrangement and although GPL has it's benefits developers need food too. The problem with this charge is the only one's required to pay will be people, like myself, who develop modules for others.

I have a variety of ports of my own RG_Sports module in operation, the current public 2.13 version, a new 2.3 version for php-nuke live, a live 2.3 version for 8.2 and a development version 2.3 running under CVS9. If I had to pick one that excites me the most it would be 2.3 under 9. I love it and can see me bringing both my operational sites under it in the next 2-4 weeks.

One of the things I have done with 2.3 is pick through the code to extract language for translation. One of my own site members has taken the time and trouble to translate the current language so a Dutch version exits. This positive response has energised me to complete the task of removing all references to the language file. I have also applied all guide rules and compliance notes on variable checking as prescribed on the pages here.

I originally started writing the module for my own needs and, in tune with developing my own skills, have expanded the module so others can also use it. and now I'd have to pay for the privilege?

I stress I don't disagree with the tactic, but what should I, and other developers do? Start charging for our own modules?

RG_Sports V2.13, uncompressed plus install SQL
1.42MB x 0.001 = 1420

Hmm you make a good point, but I think this concept needs more discussion and challenging.

If dev's build modules with the CPG-CS logo they could:

a) Acquire more presence on cpgnuke's site
b) Be permitted to use the logo's in accordance with the rules in place regarding logo use. Moreso than a non-CPG-CS member.
c) Ensure their modules meet higher standards and provide the users with some assurance of this higher standard.
d) Charge $$$ for their mods.

(For those unfamiliar with my short-form, $$$ is short-form for BIG BUCKS, the kind most people can't fathom).

I could easily see some mods charging hundreds or thousands of dollars based on their use and licensing.

I think that charging per byte is fine, but what is doing the certification, some script? It may make more sense to charge a fee based on time, or a set fee for a set time to process the module for certification.

For instance most standard approval bodies charge depending on the test they have to run, this warrants the fee's. I don't see how size will make a big difference if two modules are the same size but one requires light testing and one requires heavy testing. (For instance a 'Contact Us' module vs. a 'secure download' module.)

Just my thoughts, not yours...

All good points.

We don't say you must pay us for a certificate, we give you the option to let us look at it and get a certification or feedback.

Ofcourse there are differences between a "contact us" and a "downloads" module, but it's better to have a rough price estimate then to get the bill after we spend hours to your module.
This way a price is steady and if we spend 8 hours on a module where you paid $50 then it's cheap.

The amount code of that needs to be used for a contact module is way less than a "secure download module". The way to pass this certification is already posted in the FAQ and Docs. We ask that all devs follow these whether or not you request certification.

The reason we chose per byte is to encourage sucinct good code. By using the high standards explained in the FAQ and the functions explained in the Docs. Using our predefined functions you reduce code in your modules...simplify and secure.

In general the amount of code is directly related to the amount of time we will spend certifying, as we will not be using any robot to check the code but old-fashioned read - follow the code - logic that we have managed to use on the core of CPG-Nuke Dragonfly...

The language files are not an included part of our count neither is use of our included libraries or the sql (if you use our install class), those take no time at all, we also encourage this. By using this you also reduce the amount of code needed.

Our intention is to bring the community together with a better end product with better modules. Certification is not required in any way except that I feel users will ask for it and of course users may also request certification for their mods.

I agree with a), b) and c) above...
As a module builder do you deserve to be helped by the people that may use your product for profit? Why not charge for something you wrote safe yourself. The choice to charge or not is up to the developer....

I agree DJ, Well I think it's a wonderful idea, and you guys should keep up the great ideas.

so if i send you a module which is totally secure will i get the CPG-CS Certified Secure™ logo for free? if you don't have to change a line, are there anyway "fees" for reviewing the script?

chris i promised to evaluate your "Your_Account" rewrite before we made the CPG-CS so thatone is free of charge to me when it's compatible with 9.0

All others must be paid cos we are going to check the code and respond with feedback

I love the idea and the concept.

This does nothing to change those of you who want to write modules and share them with others for free. You can do the same thing you have always done and not pay a cent. But don't expect the certification for taking this route. This would be exactly how it is now.

For those who are devloping more intense modules who want the ability to show that their module is certified, I think the cost is worth it. The developers of these modules could then charge a nominal fee, like $5 or something, to help recover the cost of the certification and perhaps make a few bucks on the side.

The benefit to us admins?

We will hopefully get a crop of nice, stable, and secure modules for use on our sites. This could be the thing that places CPG in a bracket ahead of the competition.

Sounds like a winning situation for the devlopers of CPGNuke, the module creators, and us users. Is there a down side?

Excellent idea!

We just published a notice (news) on our site to inform all Swedish users.

Yes there is lots of common sense here. On joining back in June I was attracted by one thing on CPG, and it wasn't the collapsing blocks lovely touch, but secure.

I would have to confess that my biggest fear in writing code is leaving an exploit. This site has offered me personally more guidance on avoiding that than any other I have visited. I also feel that the emphasise and priority this is given is totally justified. So what does certification offer.. ? a guarantee. Frankly I see it that once a product, any product, reaches a point where a customer has that guarantee then that is what they become, a customer.

Now it would just so happen that I do have a revenue return planned for the RG_Sports module. In short this is to offer a central DB which stores all player stats. Persons using the module would have the option to pay an annual registration fee to include the stats component or run with the module, minus player stats, free. By registering you do not only have your own stats pool but that of all the other players on registered sites. This is restricted to it's core purpose football/soccer.

So would I pay for certification, yes, and I think this is the future path for developers. I use to jump on to Nukecops site now and again and spend some time answering newbie questions. When I checked yesterday there were 7,500 unanswered posts... free lunch? no such thing.

Certified secure is a very good idea, I highly approve.

I trust the devolopers will work out the details in an effective manner.

Having just moved to Sri Lanka, and not had much chance to comment on CPG Nuke forums recently, I thought I'd throw in my own couple of Rupees worth... and take up a (partly) contrary position.

Certification - good idea, no excellent idea.

Charging for it - bad idea.

Whatever you might think about CMS webmasters in general, I don't think security is their highest priority - functionality is.

While some CPG Nuke users have busy sites and are here for security reasons (their previous PHP Nuke sites were hacked, for example), I believe the majority of CPG Nuke users want functionality, and they want it for free.

Given a choice of modules with similar features, I think the majority of users will go for the modules that are free, rather than 'certified secure' modules that are not. CPG Nuke users are not as concerned about security as the CPG Nuke team would like to believe - as evidenced by the calendar/Events4U threads (and others) and the number of warnings from CPG Nuke staff about security issues and that 'Events4U' should not be used, and the fact people are still trying to use it.

Most CPG Nuke users will go for a working module with more facilities, regardless of security, because the majority are not knowledgable about security issues so don't know which modules are safe.

So, I don't think many people will be prepared to pay for certified modules to go with their 'free' CMS.

If your supporters group is anything to go by, most CPG Nuke members are not prepared to donate to the CPG Nuke project so why do you think they will be prepared to pay for certified modules?

By charging for certification I believe most developers will feel obliged to recover their costs by charging for their modules. As a result, your average CPG Nuke webmaster will use non certified modules. The effect will be that only the bigger (commercial?) sites will use the certified modules and the majority of CPG Nuke sites will still be using insecure modules.

I posted about certifying modules some time back - but my reasons concerned the negative impact insecure modules could have on the image of CPG Nuke, not on the websites themselves.

If a CPG Nuke site gets hacked through an insecure module the image of CPG Nuke will be tarnished, whether or not the module was certified. Even if it is shown that the hack occurred because of the module, CPG Nuke will still be tarred.

I also think that charging for certification goes against the CPG Nuke philosophy of free software. Of course it is not unreasonable for the developers to charge for their work - but if this is necessary why are they not charging for CPG Nuke? But that's another story and I'm sure we could all have an interesting discussion about the motivation behind the development of free software.

A further comment is that what might be just a few dollars to many is a lot of money to those from developing countries. The posts in the forums concerning sengsara and his need for a PC showed that many members are not aware just how much 'a few dollars' is to a lot of people. There are currently a number of CPG Nuke sites run by people from developing countries. I wouldn't like to think that CPG Nuke was penalising them, in terms of security.

I'd like to offer a suggestion. Do not charge for certification - but only give brief details of problems. I think that in most cases it will be clear with a quick scan if there are major problems. In these cases the module should be returned with brief details of the major problem areas. If the developer wants detailed recommendations I see no reason why a charge should not be applied.

To take the load off developers, certification could be achieved in levels. The 'experts' would have the final say, but less experienced staff could give submitted modules an initial check over to find obvious problems - possibly following a set of basic guidelines. Those modules that fail at this level would be returned without taking up any time from the main developers. Those that pass this first check would be passed on to more experienced members for a more in depth assessment.

I suspect that a large number of modules (from what I've seen of those ported from PHP Nuke) would fail this first check.

In conclusion, if you are concerned about the image of CPG Nuke, particularly security, I don't think you should charge for certifying a module as secure.

Just a few thoughts thrown into the ring. Over to you to tear them apart...

One major problem with the whole Open Source community is that so many expects others to work absolutely for free.

Another major problem is that as soon as anyone actually charges for anything even remotely connected to an Open Source project that someone is more or less automatically questioned and accused of just about anything from unethical behaviour to having violated the content of the GPL license.

You can even do this without even contacting the company or the organisation - just point the finger and publish your own conclussions. Do not ask first - your accusations just might turn out to be totally inaccurate.

At the same time many in the Open Source community questions why the whole concept has not made into the corporate world. The answer is that as long as there is no support and service organisation behind a Open Source project it will most likely never make into the corporate world.

The whole idea of certified modules/blocks is in my mind therefore an excellent idea. Charging for it is also fine since it will give the ones doing all the codechecking some small payment for the work they do. It will, if not guarantee so at least, keep the certification process going.

I can fully understand the concerns in this case and I understand that the idea of charging might conflict with the concept of free software. They are valid and good points that you should take into conscideration - but still a major problem within the Open Source community is that development and progress is based on free, nonpayed work. As soon as that comes in conflict with other things - real work, real bills that have to be payed peoples priorities change. There are countless Open Source projects that have stopped as soon as the author leaves school and gets a real job.

Therefore - charge a small amount for this service - it will keep it alive.

My two Euros on the subject.

I am really thinking out loud here --- but have you all thought of what will happen if you have a dramatic response to this program? For example, say everyone wants to get this stamp of approval... do you think it will slow your progress on future improvements to Dragonfly itself?

If everyone is busy certifying add-ons -- since there is money involved, will you have free time to spend on DF?

(this is only on one cup of coffee so apologies if it is a little disjointed...)