Securing Drupal sites for Government Agencies
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Securing Drupal sites for Government Agencies

on

  • 2,701 views

 

Statistics

Views

Total Views
2,701
Views on SlideShare
2,536
Embed Views
165

Actions

Likes
2
Downloads
37
Comments
0

5 Embeds 165

http://www.acquia.com 100
https://www.acquia.com 59
http://acquiacomdev.network.acquia-sites.com 3
http://acquia.local 2
https://twitter.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing Drupal sites for Government Agencies Presentation Transcript

  • 1. Securing  Drupal  Sites  for  Government   Agencies   Acquia  Webinar   by  Cash  Williams  &  Jessica  Richmond    
  • 2. Introductions  Cash  Williams    Technical  Consultant    @CashWilliams  Jessica  Richmond    Sr.  Director,  Government    @jesrichmond    
  • 3. Agenda  •  Overview  of  Drupal  in  government  •  Drupal  &  Security  Overview  •  Keeping  Drupal  Secure  •  Code  VS  Config  •  Common  Recommendations  •  How  Acquia  Can  Help  •  Questions  &  Answers    
  • 4. Security  Considerations  Two  primary  areas  for  security:  •  Drupal  Configuration  and  Code   o  Building  the  site  in  a  secure  manner   o  Keeping  code  secure  •  Process   o  Best  practices   o  Achieving  C&A/A&A    
  • 5. Drupal  &  Security  •  Security  is  a  top  concern  for  government  •  Drupal  is  highly  secure   o  Community  Support   o  Drupal  Security  Team   o  Vendors   §  Workshops   §  Audits   §  Support  •  Drupal  Security  Whitepaper  http://drupalsecurityreport.org/  
  • 6. The  Drupal  Security  Release  Process  http://www.acquia.com/blog/keeping-­‐drupal-­‐secure  
  • 7. Staying  Informed  •  Security  annoucements  from  Drupal.org   o  Sign  up  on  your  drupal.org  account  profile  •  RSS  Feeds   o  http://drupal.org/node/406142    •  Drupal  Security  on  Twitter   o  @drupalsecurity  •  Update  Status  module   o  Core  module  
  • 8. Code  VS  Config  •  Secure  code  isnt  the  only  concern,  it  can  be  configured   insecurely  •  During  security  audits,  improper  site  configuration  has  been   found  to  cause  many  vulnerabilities  •  Custom  code  should  be  reviewed,  but  typically  isnt      
  • 9. Common  Configuration  Issues  •  Drupal  Permissions  •  Access  controls  for  Views  •  Text  Formats  (Input  Filters)    
  • 10. Common  Code  Issues  •  Menu  item  access  controls  •  Not  using  Form  API  •  Improper  use  of  Database  API    •  Output  sanitization    
  • 11. Module  Recommendations  •  Paranoia  -­‐  http://drupal.org/project/paranoia  •  Securepages  &  Securepages  Prevent  Hijack  -­‐   http://drupal.org/project/securepages    •  Security  Review  -­‐  http://drupal.org/project/security_review  •  Password  Policy  -­‐  http://drupal.org/project/password_policy    
  • 12. Module  Recommendations  •  PHPass  (Drupal  6  only)  -­‐  http://drupal.org/project/phpass  •  Login  Security  (Drupal  6  only)  -­‐   http://drupal.org/project/login_security  Full  list  of  security  modules:   http://drupalscout.com/knowledge-­‐base/contributed-­‐ modules-­‐securing-­‐your-­‐drupal-­‐site    
  • 13. How  Acquia  Can  Help  Professional  Services  • Security  Workshops   o  On-­‐site  security  training  •  Security  Audits   o  Pre-­‐launch  audits   o  Ongoing  post-­‐launch    
  • 14. Questions  &  Answers  
  • 15. Thank  you!         Cash:  cash.williams@acquia.com  @CashWilliams   Jessica:  jessica.richmond@acquia.com  @jesrichmond     For  more  information  visit:    http://www.acquia.com   eMail:    sales@acquia.com  or   Call:  888.9.ACQUIA   Follow  us:  @acquia   Today s  webinar  recording  will  be  posted  to: http://acquia.com/resources/recorded_webinars