Protect Your Drupal Site Against Common Security Attacks

Protect Your Drupal Site Against Common Security Attacks @greggles greg.knaddison@acquia.comTuesday, October 25, 2011

Agenda • Security theory - general ideas - what it means to be a “Vendor” - what are other vendors doing? • Security Review module • Acquia Security AuditsTuesday, October 25, 2011

Some General Theories • Vuln is not a problem until someone exploits it • Least privilege • Validate on input, ﬁlter on output • Out of band communication - Multi factor authentication • Logging • Defense in depthTuesday, October 25, 2011

Tuesday, October 25, 2011

Is Drupal secure enough? • DrupalSecurityReport.org • What is Drupalʼs vendor process?Tuesday, October 25, 2011

What is the flow? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011

What is public/private?* *ideal case • Vulnerability introduced in code • Issue gets reported • Maintainer is notiﬁed & ﬁxes Private • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites PublicTuesday, October 25, 2011

Where are you at risk? • Vulnerability introduced in code • Issue gets reported • Maintainer is notiﬁed & ﬁxes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011

Disclosure concepts • Full disclosure: - immediately disclose to world - Allow people to ﬁx/protect themselves • Responsible disclosure: - Disclose to vendor privately - Wait up to 6 months for vendor ﬁx/announcement - Patch available with newsTuesday, October 25, 2011

Where are you at risk? FD • Vulnerability introduced in code • Issue gets reported • Maintainer is notiﬁed & ﬁxes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011

Where are you at risk? RD • Vulnerability introduced in code • Issue gets reported • Maintainer is notiﬁed & ﬁxes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011

Who is responsible? dev • Vulnerability introduced in code researcher • Issue gets reported team • Maintainer is notiﬁed & ﬁxes team+dev • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011

Best practices as a vendor What is everyone else doing?Tuesday, October 25, 2011

Comparing • Given enough eyeballs, all bugs are shallow. • Prevention of issues: education • Smooth reporting • Announce, deploy updatesTuesday, October 25, 2011

Try this • search for - “write secure code $project_name” - “report security issue $project_name” - “security release $project_name”Tuesday, October 25, 2011

This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship ﬁxes as fast as possible because it keeps people safe. Mozilla Security Blog 2010 revenue: $104,000,000+ expenses $60,000,000+Tuesday, October 25, 2011

Chrome, Firefox bounties • Mozilla: $0 to $3,000http://www.mozilla.org/security/bug-bounty.html • Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html • Tipping Point Zero Day Initiative: $100 to $2,000+ • Drupal: $0Tuesday, October 25, 2011

Browser Updates • Blogs, tweets, mails and in app notiﬁcations • Automatic updates enabled by default • Download compressed binary diffs • Pretty reliable (remember, $104,000,000/year budget)Tuesday, October 25, 2011

WordPress • Usability focused • Blogging focused • Increasingly feature richTuesday, October 25, 2011

Education/reporting • http://codex.wordpress.org/ Category:WordPress_Development - zero security • E-mail based reporting system • Plugins - hosted anywhere - Plugins on WP.org not as rigorously reviewed - Plugins elsewhere not reviewed - Some in svn/Trac plugins.trac.wordpress.org/browser/Tuesday, October 25, 2011

Out of application notification tools • News for core: wordpress.org/news/category/security • No official, security-focused twitter (?) • Popularity + Limited official channel = NOISETuesday, October 25, 2011

Github: Suzieʼs System! • Github has no built-in facility • Project maintainers have to build it Infrastructure has valueTuesday, October 25, 2011

Drupal • Focused on... • Can do whatever • Modules usually hosted on drupal.org • Project application process is rigorous, but ﬂawed • Centralized code hosting git/gitweb drupalcode.orgTuesday, October 25, 2011

Education/Reporting • Handbooks put security as a priority • New contributor process includes security review - Doesnʼt cover all projects - There are ways around it • E-mail based reporting process - no registration required - moving to optional ticket submission for improved efﬁciencyTuesday, October 25, 2011

Out of application tools • Main handbook has solid security docs • News & feeds for core and contrib • Announcement e-mail list • @drupalsecurity, @drupal_security • Limited 3rd party noiseTuesday, October 25, 2011

Security Review module • Freely available module • Identiﬁes mistakes in permissions & conﬁguration • Has drush integration • Hands on demo http://drupal.org/project/security_reviewTuesday, October 25, 2011

How Acquia Can Help • Acquia Security Audit • Acquia InsightTuesday, October 25, 2011

How Acquia Can Help • 1 week long engagement • Most vulnerabilities are found in site speciﬁc - themes - conﬁgurations - modules • Drupal core and contrib may be safe, is your code?Tuesday, October 25, 2011

What do we do? • Automated static code analysis • Penetration testing • Public and Acquia-developed toolsTuesday, October 25, 2011

What is the output?Tuesday, October 25, 2011

Thanks! Questions? Contact: greg.knaddison@acquia.com @gregglesTuesday, October 25, 2011

Photos photos • http://www.flickr.com/photos/jdhancock/3760104591/ • http://www.flickr.com/photos/danielsphotography/466435567/ • http://www.flickr.com/photos/38485387@N02/3580728177/ • http://www.flickr.com/photos/tchi-tcha/2447184214Tuesday, October 25, 2011

Protect Your Drupal Site Against Common Security Attacks

by Acquia

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Protect Your Drupal Site Against Common Security Attacks Presentation Transcript