• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,067
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
37
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing  Drupal  Sites  for  Government   Agencies   Acquia  Webinar   by  Cash  Williams  &  Jessica  Richmond    
  • 2. Introductions  Cash  Williams    Technical  Consultant    @CashWilliams  Jessica  Richmond    Sr.  Director,  Government    @jesrichmond    
  • 3. Agenda  •  Overview  of  Drupal  in  government  •  Drupal  &  Security  Overview  •  Keeping  Drupal  Secure  •  Code  VS  Config  •  Common  Recommendations  •  How  Acquia  Can  Help  •  Questions  &  Answers    
  • 4. Security  Considerations  Two  primary  areas  for  security:  •  Drupal  Configuration  and  Code   o  Building  the  site  in  a  secure  manner   o  Keeping  code  secure  •  Process   o  Best  practices   o  Achieving  C&A/A&A    
  • 5. Drupal  &  Security  •  Security  is  a  top  concern  for  government  •  Drupal  is  highly  secure   o  Community  Support   o  Drupal  Security  Team   o  Vendors   §  Workshops   §  Audits   §  Support  •  Drupal  Security  Whitepaper  http://drupalsecurityreport.org/  
  • 6. The  Drupal  Security  Release  Process  http://www.acquia.com/blog/keeping-­‐drupal-­‐secure  
  • 7. Staying  Informed  •  Security  annoucements  from  Drupal.org   o  Sign  up  on  your  drupal.org  account  profile  •  RSS  Feeds   o  http://drupal.org/node/406142    •  Drupal  Security  on  Twitter   o  @drupalsecurity  •  Update  Status  module   o  Core  module  
  • 8. Code  VS  Config  •  Secure  code  isnt  the  only  concern,  it  can  be  configured   insecurely  •  During  security  audits,  improper  site  configuration  has  been   found  to  cause  many  vulnerabilities  •  Custom  code  should  be  reviewed,  but  typically  isnt      
  • 9. Common  Configuration  Issues  •  Drupal  Permissions  •  Access  controls  for  Views  •  Text  Formats  (Input  Filters)    
  • 10. Common  Code  Issues  •  Menu  item  access  controls  •  Not  using  Form  API  •  Improper  use  of  Database  API    •  Output  sanitization    
  • 11. Module  Recommendations  •  Paranoia  -­‐  http://drupal.org/project/paranoia  •  Securepages  &  Securepages  Prevent  Hijack  -­‐   http://drupal.org/project/securepages    •  Security  Review  -­‐  http://drupal.org/project/security_review  •  Password  Policy  -­‐  http://drupal.org/project/password_policy    
  • 12. Module  Recommendations  •  PHPass  (Drupal  6  only)  -­‐  http://drupal.org/project/phpass  •  Login  Security  (Drupal  6  only)  -­‐   http://drupal.org/project/login_security  Full  list  of  security  modules:   http://drupalscout.com/knowledge-­‐base/contributed-­‐ modules-­‐securing-­‐your-­‐drupal-­‐site    
  • 13. How  Acquia  Can  Help  Professional  Services  • Security  Workshops   o  On-­‐site  security  training  •  Security  Audits   o  Pre-­‐launch  audits   o  Ongoing  post-­‐launch    
  • 14. Questions  &  Answers  
  • 15. Thank  you!         Cash:  cash.williams@acquia.com  @CashWilliams   Jessica:  jessica.richmond@acquia.com  @jesrichmond     For  more  information  visit:    http://www.acquia.com   eMail:    sales@acquia.com  or   Call:  888.9.ACQUIA   Follow  us:  @acquia   Today s  webinar  recording  will  be  posted  to: http://acquia.com/resources/recorded_webinars