Start

Establishing IT Security Credibility

& Expertise

CMS Security and Federal IT

Requirements: Drupal vs. The Field

Mike Nescot, JBS International

MS, MHA, CISSP, PMP, MCTS, Security+;Author: Professional Cyber-Tunneling and Cross-Dressing (Rocks Press);

Platinum Diamond

Uber Status

But seriously…

CMS Security and Federal IT Requirements: Drupal vs. The Field

Mike Nescot, JBS International

http://drupal.jbsinternational.com

Marketing Drupal

CMS Security: Expanding Complexity

CMS Security: Expanding Complexity

Comparison

• Drupal (http://drupal.org)• Joomla (http://joomla.org)• WordPress (http://wordpress.org)• Liferay (http://liferay.org)• SharePoint (http://sharepoint.org)

Comparison Points

• Code Repository• API Security• Security Management Model• Security Controls and Tools: FISMA

Repository

• Drupal: Open Source, GIT, drupal.org• Joomla: Open Source, GIT, GitHub• Word Press: Open Source, git mirror

of SVN on wordpress.org• SharePoint: Closed source, ?, TFS• Liferay: Open source community

edition, GIT, GitHub

FreeBSD Compromise

vs.

Linux Kernel.org Compromise

API• Drupal: PHP, Procedural hook system >

modularity: PSR2/Symfony• Joomla: PHP, design patterns-based, OO,

MVC• WordPress: PHP, hook system (actions &

filters) • SharePoint: #NET, server and client object

model > app model & REST• Liferay: Java, JVM, internal and external api,

portet, MVC portlet, JSF

API Security

• Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig

• Joomla: Filters (JRequest, JFactory::getDBO())• WordPress: Filters (wp_filter_kses(),$wbdp)• Liferay: Security Manager: Portal Access Control List

(PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity

• SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages

• Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation

• Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal

• Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS

• SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow

• Liferay (3): access bypass, XSS, DoS, directory traversal

Vulnerabilities: NVD (3 years: high/medium)

WordPress Plugin Vulnerabilities• http://www.eweek.com/security/popular-

wordpress-plugins-vulnerable-to-attack-checkmarx-research/

Security Mangement• Drupal: Security Team: Resolve issues, assist

module maintainers, documentation, responsible disclosure, secure coding guide, full project review

• Joomla: Joomla Security Team: vulnerable extension list, secure coding guide

• WordPress: laissez-faire, data validation guide• SharePoint: Service packs, app review• Liferay: Security team (focused on core), open

app marketplace

Open Source Community & Competition

• Drupal and WordPress• Ease of Use vs. Power• Good Enough, Means to an End• Object-Oriented = Harder to Use• Risk Management Trade-Offs

Security Tools & Controls (FISMA)

• Roles & Permissions (Access Controls)• Federated Identity & Multi-Factor

Authentication • Vulnerability Assessment• Hardening • Continuous Monitoring• Hosting Platform & Environment

Roles & Permissions

• Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB)

• Joomla: Frontend & backend groups, administration area

• WordPress: Roles and capabilities, admin area• SharePoint: SharePoint groups and roles,

mapped to AD groups, site collection admins, elevated privileges

• Liferay: Granular system built on JSR-286

Federated Identity & Multi-Factor Authentication

• Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV

• Joomla: OpenID, Oauth, SAML, yubikey, smartcards

• Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo

• Sharepoint: AD, LDAP, AD LDS, ADFS, claims-based identity, membership provider (AD)

• Liferay: SSO (LDAP, OpenAM), OpenID

Vulnerability Assessment

• Drupal: security review, coder/secure code review, dpscan

• Joomla: Joomla OWASP scanner• WordPress: WP Security Scan• SharePoint: SharePoint Security

Scanner• Liferay: Standard tools

Hardening

• Drupal: Hardened Drupal, Guardr• Joomla: jHackGuard• WordPress: Integrated security plugins(Better

WPSecurity, BulletProof Security), Secure WordPress

• SharePoint: Secure installation: Kerberos• Liferay: Manual config guide• All: Environment-specific controls

Continuous Monitoring

• Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash

• Joomla: Jlog > syslog, commercial monitoring

• WordPress: Integrated packages, commercial monitoring

• SharePoint: Microsoft System Center, commercial packages

• Liferay: Audit EE: DB or log4j > syslog

Hosting Platform & Environment

• Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3

• Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3

• WordPress: LAMP: PHP 5.2, MySQL• SharePoint: Windows, IIS,SQL Server, Office 365

(FISMA cert), Azure, AWS, Rackspace• Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic

JDBC(MySQL/Postgres)• Everything: > cloud (AWS,

OpenStack,FedRamp),private cloud, SLA

D.Org Security Incident

• Drupal.org compromised• Sophisticated DevOps Mgt• Third-party software breached:

undisclosed

With Drupal, You Never Walk Alone

You Never Walk Alone With Drupal

Security Ninja

Security Rockstar

Platinum Diamond

Uber Status

Thank You!!!

Comments, Questions, Criticism?

mnescot@jbsinternational.comhttp://drupal.jbsinternational.com