Training: Best Practices for Drupal Security
Upcoming SlideShare
Loading in...5
×
 

Training: Best Practices for Drupal Security

on

  • 967 views

 

Statistics

Views

Total Views
967
Slideshare-icon Views on SlideShare
808
Embed Views
159

Actions

Likes
2
Downloads
21
Comments
0

3 Embeds 159

https://www.acquia.com 155
http://www.acquia.com 3
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 71% of data breaches occurred in business with &lt; 100 employees <br />
  • data from SA from security team <br />
  • from security audits of actual Drupal sites <br />
  • website security statistics report, whitehat security <br />
  • data is manipulated to carry out attacks on different domains <br /> such as Drupal, the Database, or the User <br />
  • being safe from dangerous user input by controlling what you trust users to do <br />
  • password breaches from drupal.org or sony or adobe <br />

Training: Best Practices for Drupal Security Training: Best Practices for Drupal Security Presentation Transcript

  • Training: Best Practices for Drupal Security Cash Williams Technical Consultant Acquia Ben Jeavons Sr. Software Engineer Acquia David Stoline Technical Consultant Acquia
  • Drupal Security Vulnerabilities and risks on the web Understanding user input and evaluating trust Tips and further best practices for security
  • Principle ideas Don’t trust user input Stay up-to-date Defense in depth
  • http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
  • “traffic at Target tanked after news that hackers stole data from 40 million credit and debit cards used at Target“ http://qz.com/181703/shoppers-decided-to-avoid-target-after-its-giant-data-breach https://www.flickr.com/photos/roadsidepictures/2923629922
  • Massive vulnerability Affecting ~66% of the internet Allowed arbitrary memory leaks exposing usernames, passwords, certificate private keys, etc Heartbleed
  • Hands-on training DrupalCon Austin, Monday June 2nd austin2014.drupal.org/node/1118 Register before May 2nd to save $75
  • Drupal vulnerabilities and risks
  • reported in core and contrib SAs from June 1 2005 through October 1 2013, drupalsecurityreport.com Vulnerabilities by popularity
  • reported in SAs June 1 2005 through October 1 2013, drupalsecurityreport.com Vulnerabilities by type
  • Drupal in the wild Most vulnerabilities exist In custom code (modules or themes) Insecure configuration or practices Out-of-date code
  • 66% likeliness a website is vulnerable to Cross-Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
  • User input is the root of all evil
  • User input What pages have forms? Nodes and comments Webforms Other properties of HTTP requests
  • Raw user input Output
  • Trust
  • Trust Know your site’s Drupal roles and permissions Evaluate permissions of new modules Maintain strong passwords
  • Trust Principle of least privilege Give only the necessary permissions to complete the required work
  • Admin permissions Administer permissions Administer users Administer filters Administer content types Administer site configuration contrib module admin permissions?
  • Strong passwords Ensure administrators have strong passwords drupal.org/project/password_policy
  • Best practices
  • Stay up to date Follow release schedules Update Manager @drupalcore & @drupalsecurity Apply appropriate updates
  • Update process Stage and dev environments for testing changes
  • Update process Stage and dev environments for testing changes drush pm-updatecode VCS (git) for quick deploys
  • Backups If it isn’t tested then it doesn’t work
  • Backups How complicated is your restore process? Is every step documented? Can a restore be done by someone filling in for a position? Are there any technical barriers to performing a restore? Are the backups and procedure regularly tested? How long will the restore take?
  • Logs Enable logging and save log data Fix application errors and warnings to remove noise Aggregate log data to better analyze
  • 10 PM DO YOU KNOW WHERE YOUR DATA ARE?
  • Sensitive Data Where is sensitive data and is it protected? Ensure a project repo does not have sensitive data Including the repo history Non-Production databases should be sanitized Use encryption
  • Principle ideas from today
  • Principle ideas Don’t trust user input Stay up-to-date Defense in depth
  • More resources drupalsecurityreport.com drupal.org/developing/best-practices drupal.org/security/secure-configuration drupal.org/writing-secure-code
  • Hands-on Training DrupalCon Austin, Monday June 2DrupalCon Austin, Monday June 2 austin2014.drupal.org/node/1118austin2014.drupal.org/node/1118 Register before May 2nd to save $75Register before May 2nd to save $75
  • Thank you Cash Williams @cashwilliams Ben Jeavons @benswords David Stoline @unncola