Protect Your Drupal Site         Against Common Security         Attacks         @greggles         greg.knaddison@acquia.c...
Agenda      • Security theory           - general ideas           - what it means to be a “Vendor”           - what are ot...
Some General Theories         • Vuln is not a problem until someone exploits it         • Least privilege         • Valida...
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Is Drupal secure enough?         • DrupalSecurityReport.org         • What is Drupalʼs vendor process?Tuesday, October 25,...
What is the flow?         • Vulnerability introduced in code         • Issue gets reported         • Maintainer is notified ...
What is public/private?*                                                         *ideal case         • Vulnerability intro...
Where are you at risk?         • Vulnerability introduced in code         • Issue gets reported         • Maintainer is no...
Disclosure concepts         • Full disclosure:              - immediately disclose to world              - Allow people to...
Where are you at risk?                                                        FD         • Vulnerability introduced in cod...
Where are you at risk?                                                        RD         • Vulnerability introduced in cod...
Who is responsible?                                                  dev         • Vulnerability introduced in code   rese...
Best practices as a vendor         What is everyone else doing?Tuesday, October 25, 2011
Tuesday, October 25, 2011
Comparing      • Given enough eyeballs, all bugs are shallow.      • Prevention of issues: education      • Smooth reporti...
Try this      • search for           - “write secure code $project_name”           - “report security issue $project_name”...
Tuesday, October 25, 2011
This is not our policy....We are proud of our track record of quickly            releasing critical security patches, ofte...
Chrome, Firefox bounties      • Mozilla: $0 to $3,000http://www.mozilla.org/security/bug-bounty.html      • Chrome: $500 t...
Browser Updates      • Blogs, tweets, mails and in app notifications      • Automatic updates enabled by default      • Dow...
WordPress         • Usability focused         • Blogging focused         • Increasingly feature richTuesday, October 25, 2...
Education/reporting      • http://codex.wordpress.org/        Category:WordPress_Development - zero security      • E-mail...
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application notification tools      • News for core: wordpress.org/news/category/security      • No official, securit...
Github: Suzieʼs System!      • Github has no built-in facility      • Project maintainers have to build it                ...
Drupal      • Focused on...      • Can do whatever      • Modules usually hosted on drupal.org      • Project application ...
Education/Reporting      • Handbooks put security as a priority      • New contributor process includes security review   ...
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application tools      • Main handbook has solid security docs      • News & feeds for core and contrib      • Anno...
Security Review module      • Freely available module      • Identifies mistakes in permissions & configuration      • Has d...
How Acquia Can Help      • Acquia Security Audit      • Acquia InsightTuesday, October 25, 2011
How Acquia Can Help      • 1 week long engagement      • Most vulnerabilities are found in site specific           - themes...
What do we do?      • Automated static code analysis      • Penetration testing      • Public and Acquia-developed toolsTu...
What is the output?Tuesday, October 25, 2011
Thanks!    Questions?    Contact:    greg.knaddison@acquia.com    @gregglesTuesday, October 25, 2011
Photos photos      •   http://www.flickr.com/photos/jdhancock/3760104591/      •   http://www.flickr.com/photos/danielsphoto...
Upcoming SlideShare
Loading in...5
×

Protect Your Drupal Site Against Common Security Attacks

1,697

Published on

Acquia Webinar [Oct 25, 2011]: Protect Your Drupal Site Against Common Security Attacks

Recording: http://acquia.com/resources/recorded_webinars

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,697
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protect Your Drupal Site Against Common Security Attacks

  1. 1. Protect Your Drupal Site Against Common Security Attacks @greggles greg.knaddison@acquia.comTuesday, October 25, 2011
  2. 2. Agenda • Security theory - general ideas - what it means to be a “Vendor” - what are other vendors doing? • Security Review module • Acquia Security AuditsTuesday, October 25, 2011
  3. 3. Some General Theories • Vuln is not a problem until someone exploits it • Least privilege • Validate on input, filter on output • Out of band communication - Multi factor authentication • Logging • Defense in depthTuesday, October 25, 2011
  4. 4. Tuesday, October 25, 2011
  5. 5. Tuesday, October 25, 2011
  6. 6. Tuesday, October 25, 2011
  7. 7. Tuesday, October 25, 2011
  8. 8. Is Drupal secure enough? • DrupalSecurityReport.org • What is Drupalʼs vendor process?Tuesday, October 25, 2011
  9. 9. What is the flow? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011
  10. 10. What is public/private?* *ideal case • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes Private • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites PublicTuesday, October 25, 2011
  11. 11. Where are you at risk? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011
  12. 12. Disclosure concepts • Full disclosure: - immediately disclose to world - Allow people to fix/protect themselves • Responsible disclosure: - Disclose to vendor privately - Wait up to 6 months for vendor fix/announcement - Patch available with newsTuesday, October 25, 2011
  13. 13. Where are you at risk? FD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011
  14. 14. Where are you at risk? RD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011
  15. 15. Who is responsible? dev • Vulnerability introduced in code researcher • Issue gets reported team • Maintainer is notified & fixes team+dev • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sitesTuesday, October 25, 2011
  16. 16. Best practices as a vendor What is everyone else doing?Tuesday, October 25, 2011
  17. 17. Tuesday, October 25, 2011
  18. 18. Comparing • Given enough eyeballs, all bugs are shallow. • Prevention of issues: education • Smooth reporting • Announce, deploy updatesTuesday, October 25, 2011
  19. 19. Try this • search for - “write secure code $project_name” - “report security issue $project_name” - “security release $project_name”Tuesday, October 25, 2011
  20. 20. Tuesday, October 25, 2011
  21. 21. This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. Mozilla Security Blog 2010 revenue: $104,000,000+ expenses $60,000,000+Tuesday, October 25, 2011
  22. 22. Chrome, Firefox bounties • Mozilla: $0 to $3,000http://www.mozilla.org/security/bug-bounty.html • Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html • Tipping Point Zero Day Initiative: $100 to $2,000+ • Drupal: $0Tuesday, October 25, 2011
  23. 23. Browser Updates • Blogs, tweets, mails and in app notifications • Automatic updates enabled by default • Download compressed binary diffs • Pretty reliable (remember, $104,000,000/year budget)Tuesday, October 25, 2011
  24. 24. WordPress • Usability focused • Blogging focused • Increasingly feature richTuesday, October 25, 2011
  25. 25. Education/reporting • http://codex.wordpress.org/ Category:WordPress_Development - zero security • E-mail based reporting system • Plugins - hosted anywhere - Plugins on WP.org not as rigorously reviewed - Plugins elsewhere not reviewed - Some in svn/Trac plugins.trac.wordpress.org/browser/Tuesday, October 25, 2011
  26. 26. Tuesday, October 25, 2011
  27. 27. Tuesday, October 25, 2011
  28. 28. Tuesday, October 25, 2011
  29. 29. Out of application notification tools • News for core: wordpress.org/news/category/security • No official, security-focused twitter (?) • Popularity + Limited official channel = NOISETuesday, October 25, 2011
  30. 30. Github: Suzieʼs System! • Github has no built-in facility • Project maintainers have to build it Infrastructure has valueTuesday, October 25, 2011
  31. 31. Drupal • Focused on... • Can do whatever • Modules usually hosted on drupal.org • Project application process is rigorous, but flawed • Centralized code hosting git/gitweb drupalcode.orgTuesday, October 25, 2011
  32. 32. Education/Reporting • Handbooks put security as a priority • New contributor process includes security review - Doesnʼt cover all projects - There are ways around it • E-mail based reporting process - no registration required - moving to optional ticket submission for improved efficiencyTuesday, October 25, 2011
  33. 33. Tuesday, October 25, 2011
  34. 34. Tuesday, October 25, 2011
  35. 35. Tuesday, October 25, 2011
  36. 36. Tuesday, October 25, 2011
  37. 37. Out of application tools • Main handbook has solid security docs • News & feeds for core and contrib • Announcement e-mail list • @drupalsecurity, @drupal_security • Limited 3rd party noiseTuesday, October 25, 2011
  38. 38. Security Review module • Freely available module • Identifies mistakes in permissions & configuration • Has drush integration • Hands on demo http://drupal.org/project/security_reviewTuesday, October 25, 2011
  39. 39. How Acquia Can Help • Acquia Security Audit • Acquia InsightTuesday, October 25, 2011
  40. 40. How Acquia Can Help • 1 week long engagement • Most vulnerabilities are found in site specific - themes - configurations - modules • Drupal core and contrib may be safe, is your code?Tuesday, October 25, 2011
  41. 41. What do we do? • Automated static code analysis • Penetration testing • Public and Acquia-developed toolsTuesday, October 25, 2011
  42. 42. What is the output?Tuesday, October 25, 2011
  43. 43. Thanks! Questions? Contact: greg.knaddison@acquia.com @gregglesTuesday, October 25, 2011
  44. 44. Photos photos • http://www.flickr.com/photos/jdhancock/3760104591/ • http://www.flickr.com/photos/danielsphotography/466435567/ • http://www.flickr.com/photos/38485387@N02/3580728177/ • http://www.flickr.com/photos/tchi-tcha/2447184214Tuesday, October 25, 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×