Drupal Security Seminar

906 views
804 views

Published on

No worries, we’ve got your Drupal installation secured! This slideshow was used on our Drupal Security Seminar of Friday June 21.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
906
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Drupal Security Seminar

  1. 1. WE MATCH FRONT SEAT TECHNOLOGY AND CREATIVITY TO MEET YOUR DIGITAL PROJECTS.
  2. 2. 1  KEEP YOUR DRUPAL ENVIRONMENT SECURE 2  SECURE DEVELOPMENT & SECURE CONFIGURATION 3  ACQUIA ON DRUPAL SECURITY 4  IBM TIVOLI ACCESS MANAGEMENT AND DRUPAL AGENDA
  3. 3. DRUPAL SECURITY
  4. 4. WHY BOTHER? 1
  5. 5. ZAPPOS
  6. 6. LINKEDIN
  7. 7. SONYPLAYSTATIONNETWORK
  8. 8. WHYBOTHER? -  Privacy laws -  Exposure of private information -  Compliance with legislation / internal rules -  Risk of reputational damage -  Risk of direct/indirect economical damage
  9. 9. IS DRUPAL SECURE? 2
  10. 10. MANY EYES MAKE FOR SECURE CODE ISOPENSOURCESECURE? -  Security by obscurity -  Open code does not make it easier for hackers -  Open Source makes people look at it -  Popularity gets more eyes and more peer-reviews -  Not dependant on time-scale vendor Bad open-source software as bad as bad private software.
  11. 11. TOP 10 VULNERABILITIES OWASP -  Injection -  Cross Site Scripting - XSS -  Broken Authentication and Session Management -  Insecure Direct Object Reference -  Cross Site Request Forgery - CSRF -  Security Misconfguration -  Failure to Restrict URL Access -  Unvalidated Redirects and Forwards -  Insecure Cryptographic Storage -  Insuficient Transport Layer Protection
  12. 12. REPORTEDVULNERABILITIES
  13. 13. ISDRUPALSECURE? Drupal Architecture -  API is designed to be secure -  Contrib Modules > custom modules -  Best practices Build -  Secure Development -  Secure Configuration -  Audit Contrib Modules -  Code audit custom code -  Security Review DURING BUILD OF NEW DRUPAL WEBSITE
  14. 14. DURING LIFECYCLE DRUPAL WEBSITE ISDRUPALSECURE? Who’s checking Drupal -  Project maintainers -  Thousand of users -  Security Researchers -  Government organisations -  Private organisations Processes & Organisation -  Security Team -  Process for solving issues & releasing security updates -  Security Advisories -  Private Disclosure practice
  15. 15. KEEP YOUR DRUPAL WEBSITE SECURE 3
  16. 16. SECURITY IS A PROCESS NOT AN EVENT
  17. 17. WHO’SCHECKINGDRUPAL -  Project maintainers -  Thousand of users -  Security Researchers -  Government organisations -  Private organisations MANY EYES MAKE FOR SECURE CODE
  18. 18. UNIQUE FOR A OPEN SOURCE PROJECT SECURITYTEAM Task & Responsibilities -  Solve reported issues -  Assist contributors in solving issues -  Advise and provide documentation on secure development -  Advise and provide documentation on securing your Drupal website What’s supported -  Core Drupal 6 & 7 -  Contributed Modules Drupal 6 & 7
  19. 19. FROM REPORTED ISSUE TO SECURITY UPDATE ADRUPALSECURITYRELEASE
  20. 20. FOR CORE AND CONTRIBUTED MODULES PER YEAR SECURITYADVISORIES Year Core Contributed 2010 1 31 2009 8 115 2008 11 64 2007 11 21 2006 1 21 2005 7 2
  21. 21. YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE PRIVATEDISCLOSURE -  Vulnerability introduced into code -  Issue reported -  Maintainer is notified -  Maintainer fixes issue -  Review & Discussions with security team -  Security Advisory written -  Release and anounce -  Deployed in Drupal website FD PD
  22. 22. KNOW WHEN AN UPDATE IS NEEDED UPDATEMANAGER -  Check available updates -  Notifications -  Update through admin interface
  23. 23. SECURITY HEALTH CHECK SECURITYREVIEWMODULE
  24. 24. INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE STATUSMONITORING Tools -  Droptor.com (https://drupal.org/project/droptor) -  Acquia Insight (https://drupal.org/project/acquia_connector) -  Nagios (https://drupal.org/project/nagios) -  Drupalmonitor.com (https://drupal.org/project/drupalmonitor) -  …
  25. 25. BUILD A SECURE DRUPAL WEBISTE 4
  26. 26. CONTRIB
  27. 27. CONTRIBUTED MODULES Quality assurance -  Usage -  Number of open issues -  Closed/Open ratio -  Response time Good quality usually means good security Manual code reviews for less used modules
  28. 28. UPDATES Always stay up to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
  29. 29. PATCHES Contrib patches Read the entire issue Commit custom patches Help out Feedback from other users (maintainers) Patch might get commited Patch management Move module to patched Create a patches.txt Keep patches
  30. 30. CUSTOM
  31. 31. SECURITY PYRAMID Menu & Node Access Form API DB API Theme
  32. 32. CORRECT USE OF API Form api validation cache form_state drupal_valid_token DB api db_select, db_insert, placeholders $query->addTag('node_access') Filter tcheck_url, check_plain, check_markup, filter_xss (), l(), drupal_set_title()
  33. 33. CODE REVIEWS Coder module Manual reviews security_review module
  34. 34. THEMES
  35. 35. THEMES Themer not responsible Preprocess functions
  36. 36. CONFIGURATION
  37. 37. PERMISSIONS Permission management If Joe from advertising can give the full html filter format to anonymous user, don't bother to think about security Split up permissions The default permissions don't cover every use case
  38. 38. PERMISSIONS
  39. 39. FILTER FORMATS Never use full_html Use filtered_html instead. Never use phpfilter Use a custom module for code Versioning Bad performance (eval)
  40. 40. HACKS AND HOW TO PREVENT THEM
  41. 41. SQL INJECTION "SELECT * FROM user WHERE name = '$name'" "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'" http://xkcd.com/327/
  42. 42. SQL INJECTION Placeholders db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user); Dynamic Queries $query = db_select('user', 'u') ->fields('u') ->where('name', $user) ->execute();
  43. 43. XSS (cross site scripting) http://vimeo.com/15447718
  44. 44. XSS (cross site scripting) Validate forms User input should never contain javascript Form api Never use $_POST variables $form_state['values'] Form caching
  45. 45. XSS (cross site scripting) User Input Title Body Log message Url Post User-Agent Headers
  46. 46. XSS (cross site scripting) Input formats Never use full_html Filter Functions check_url() check_plain() check_markup() filter_xss()
  47. 47. XSS (cross site scripting) http://drupalscout.com/knowledge-base/drupal-text-filtering-cheat-sheet-drupal-6
  48. 48. XSS (cross site scripting) Functions t() l() drupal_set_title() @var => plain text %var => plain text !var => full html!
  49. 49. CSRF (cross site request forgery) Taking action without confirming intent <a href=”/delete/user/1”>Delete user 1</a> Image Tag <img src=”/delete/user/1”> A hacker posts a comment to the administrator. When the administrator views the image, user 1 gets deleted
  50. 50. CSRF (cross site request forgery) Token (aka Nonce)
  51. 51. ACCESS BYPASS View content a user is not supposed to $query = db_select('node', 'n')->fields('n'); Also shows nodes that user doesn't have acces to $query->addTag('node_access') Rewrite the query based on the node_access table
  52. 52. ACCESS BYPASS Bad custom caching Administrator visits a block listing nodes. The block gets cached The cached block with all nodes is shown to the anonymous user Add role id to custom caching
  53. 53. ACCESS BYPASS Rabbit_hole module Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Field access $form['#access'] = custom_access_callback(); Menu access $item['access callback'] = 'custom_access_callback',
  54. 54. CHECKLIST
  55. 55. CHECKLIST Permissions λ Trusted users only λ Split default permissions API λ Use Preprocess functions λ filter_xss, check_plain λ DB api λ Form api λ Tokens λ Menu/Node Access Never Use λ Full html λ Php filter
  56. 56. FURTHER READING
  57. 57. FURTHER READING Books Cracking Drupal Pro Drupal Development Online λ https://drupal.org/writing-secure-code λ https://drupal.org/node/360052 λ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html λ http://drupalscout.com/knowledge-base Video λ  How to avoid All your base are belong to us (drupalcon Denver)
  58. 58. SEND US A MESSAGE E-mail You can contact us at newmedia@calibrate.be Our address Veldkant 33A 2550 Kontich ONZE CONTACTINFORMATIE On the web www.calibrate.be linkedin.com/company/calibrate twitter.com/calibrators

×