Securing Drupal sites for Government Agencies

Securing Drupal Sites for Government Agencies Acquia Webinar by Cash Williams & Jessica Richmond

Introductions Cash Williams Technical Consultant @CashWilliams Jessica Richmond Sr. Director, Government @jesrichmond

Agenda •  Overview of Drupal in government •  Drupal & Security Overview •  Keeping Drupal Secure •  Code VS Conﬁg •  Common Recommendations •  How Acquia Can Help •  Questions & Answers

Security Considerations Two primary areas for security: •  Drupal Conﬁguration and Code o  Building the site in a secure manner o  Keeping code secure •  Process o  Best practices o  Achieving C&A/A&A

Drupal & Security •  Security is a top concern for government •  Drupal is highly secure o  Community Support o  Drupal Security Team o  Vendors §  Workshops §  Audits §  Support •  Drupal Security Whitepaper http://drupalsecurityreport.org/

The Drupal Security Release Process http://www.acquia.com/blog/keeping-‐drupal-‐secure

Staying Informed •  Security annoucements from Drupal.org o  Sign up on your drupal.org account proﬁle •  RSS Feeds o  http://drupal.org/node/406142 •  Drupal Security on Twitter o  @drupalsecurity •  Update Status module o  Core module

Code VS Config •  Secure code isnt the only concern, it can be configured insecurely •  During security audits, improper site configuration has been found to cause many vulnerabilities •  Custom code should be reviewed, but typically isnt

Common Conﬁguration Issues •  Drupal Permissions •  Access controls for Views •  Text Formats (Input Filters)

Common Code Issues •  Menu item access controls •  Not using Form API •  Improper use of Database API •  Output sanitization

Module Recommendations •  Paranoia -‐ http://drupal.org/project/paranoia •  Securepages & Securepages Prevent Hijack -‐ http://drupal.org/project/securepages •  Security Review -‐ http://drupal.org/project/security_review •  Password Policy -‐ http://drupal.org/project/password_policy

Module Recommendations •  PHPass (Drupal 6 only) -‐ http://drupal.org/project/phpass •  Login Security (Drupal 6 only) -‐ http://drupal.org/project/login_security Full list of security modules: http://drupalscout.com/knowledge-‐base/contributed-‐ modules-‐securing-‐your-‐drupal-‐site

How Acquia Can Help Professional Services • Security Workshops o  On-‐site security training •  Security Audits o  Pre-‐launch audits o  Ongoing post-‐launch

Questions & Answers

Thank you! Cash: cash.williams@acquia.com @CashWilliams Jessica: jessica.richmond@acquia.com @jesrichmond For more information visit: http://www.acquia.com eMail: sales@acquia.com or Call: 888.9.ACQUIA Follow us: @acquia Today s webinar recording will be posted to: http://acquia.com/resources/recorded_webinars

http://www.acquia.com	94
http://acquiacomdev.network.acquia-sites.com	3
https://twitter.com	1

Securing Drupal sites for Government Agencies

by Acquia on Sep 11, 2012

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 98

Statistics

Securing Drupal sites for Government Agencies Presentation Transcript