drupal security seminar

Download Drupal Security Seminar

Post on 14-Dec-2014

598 views

Category:

Technology

7 download

Embed Size (px)

DESCRIPTION

No worries, weve got your Drupal installation secured! This slideshow was used on our Drupal Security Seminar of Friday June 21.

TRANSCRIPT

  • 1. WE MATCH FRONT SEAT TECHNOLOGY AND CREATIVITY TO MEET YOUR DIGITAL PROJECTS.
  • 2. 1 KEEP YOUR DRUPAL ENVIRONMENT SECURE 2 SECURE DEVELOPMENT & SECURE CONFIGURATION 3 ACQUIA ON DRUPAL SECURITY 4 IBM TIVOLI ACCESS MANAGEMENT AND DRUPAL AGENDA
  • 3. DRUPAL SECURITY
  • 4. WHY BOTHER? 1
  • 5. ZAPPOS
  • 6. LINKEDIN
  • 7. SONYPLAYSTATIONNETWORK
  • 8. WHYBOTHER? - Privacy laws - Exposure of private information - Compliance with legislation / internal rules - Risk of reputational damage - Risk of direct/indirect economical damage
  • 9. IS DRUPAL SECURE? 2
  • 10. MANY EYES MAKE FOR SECURE CODE ISOPENSOURCESECURE? - Security by obscurity - Open code does not make it easier for hackers - Open Source makes people look at it - Popularity gets more eyes and more peer-reviews - Not dependant on time-scale vendor Bad open-source software as bad as bad private software.
  • 11. TOP 10 VULNERABILITIES OWASP - Injection - Cross Site Scripting - XSS - Broken Authentication and Session Management - Insecure Direct Object Reference - Cross Site Request Forgery - CSRF - Security Misconfguration - Failure to Restrict URL Access - Unvalidated Redirects and Forwards - Insecure Cryptographic Storage - Insucient Transport Layer Protection
  • 12. REPORTEDVULNERABILITIES
  • 13. ISDRUPALSECURE? Drupal Architecture - API is designed to be secure - Contrib Modules > custom modules - Best practices Build - Secure Development - Secure Conguration - Audit Contrib Modules - Code audit custom code - Security Review DURING BUILD OF NEW DRUPAL WEBSITE
  • 14. DURING LIFECYCLE DRUPAL WEBSITE ISDRUPALSECURE? Whos checking Drupal - Project maintainers - Thousand of users - Security Researchers - Government organisations - Private organisations Processes & Organisation - Security Team - Process for solving issues & releasing security updates - Security Advisories - Private Disclosure practice
  • 15. KEEP YOUR DRUPAL WEBSITE SECURE 3
  • 16. SECURITY IS A PROCESS NOT AN EVENT
  • 17. WHOSCHECKINGDRUPAL - Project maintainers - Thousand of users - Security Researchers - Government organisations - Private organisations MANY EYES MAKE FOR SECURE CODE
  • 18. UNIQUE FOR A OPEN SOURCE PROJECT SECURITYTEAM Task & Responsibilities - Solve reported issues - Assist contributors in solving issues - Advise and provide documentation on secure development - Advise and provide documentation on securing your Drupal website Whats supported - Core Drupal 6 & 7 - Contributed Modules Drupal 6 & 7
  • 19. FROM REPORTED ISSUE TO SECURITY UPDATE ADRUPALSECURITYRELEASE
  • 20. FOR CORE AND CONTRIBUTED MODULES PER YEAR SECURITYADVISORIES Year Core Contributed 2010 1 31 2009 8 115 2008 11 64 2007 11 21 2006 1 21 2005 7 2
  • 21. YOURE SAFE UNTIL RELEASE SECURITY UPDATE PRIVATEDISCLOSURE - Vulnerability introduced into code - Issue reported - Maintainer is notied - Maintainer xes issue - Review & Discussions with security team - Security Advisory written - Release and anounce - Deployed in Drupal website FD PD
  • 22. KNOW WHEN AN UPDATE IS NEEDED UPDATEMANAGER - Check available updates - Notications - Update through admin interface
  • 23. SECURITY HEALTH CHECK SECURITYREVIEWMODULE
  • 24. INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE STATUSMONITORING Tools - Droptor.com (https://drupal.org/project/droptor) - Acquia Insight (https://drupal.org/project/acquia_connector) - Nagios (https://drupal.org/project/nagios) - Drupalmonitor.com (https://drupal.org/project/drupalmonitor) -
  • 25. BUILD A SECURE DRUPAL WEBISTE 4
  • 26. CONTRIB
  • 27. CONTRIBUTED MODULES Quality assurance - Usage - Number of open issues - Closed/Open ratio - Response time Good quality usually means good security Manual code reviews for less used modules
  • 28. UPDATES Always stay up to date - Keep up with latest security releases Update Workow - Hacked module + di - Drush up
  • 29. PATCHES Contrib patches Read the entire issue Commit custom patches Help out Feedback from other users (maintainers) Patch might get commited Patch management Move module to patched Create a patches.txt Keep patches
  • 30. CUSTOM
  • 31. SECURITY PYRAMID Menu & Node Access Form API DB API Theme
  • 32. CORRECT USE OF API Form api validation cache form_state drupal_valid_token DB api db_select, db_insert, placeholders $query->addTag('node_access') Filter tcheck_url, check_plain, check_markup, lter_xss (), l(), drupal_set_title()
  • 33. CODE REVIEWS Coder module Manual reviews security_review module
  • 34. THEMES
  • 35. THEMES Themer not responsible Preprocess functions
  • 36. CONFIGURATION
  • 37. PERMISSIONS P