Full Web Stack Security

3,122 views

Published on

Presentation made by António Almeida e Ricardo Amaro during DrupalCamp Lisboa 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,122
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Falar do de Night of the Hunter (1955) a batalha das mãos entre o amor e o ódio. Gostamos da web. Mas há muitos perigos à espreita. A web é cada vez mais um vector de ataque. Com o movimento para a cloud isso agudiza-se. Quem hoje não encara a segurança como uma questão estratégica tão vital quanto a conectividade para o negócio não estão em acordo com a dura realidade que existe aqui.
  • Iniciar
  • isto aqui foi reduzi
  • Full Web Stack Security

    1. 1. Staying out of harm's way
    2. 2. Full Web Stack Security
    3. 3. <ul><li>Drupal is just one piece of the software stack: vulnerabilities   </li></ul><ul><li>can exist at the server and  </li></ul><ul><li>network levels as well. </li></ul>GVS  ( Drupal   Security Review)
    4. 4. Prelude
    5. 5. OWASP TOP 10 the 10 most  worissome   web app  attack vectors (owasp.org)
    6. 6. I. on the app A1. Injection A2. Cross-Site Scripting ( XSS ) A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery ( CSRF )
    7. 7. II. also off the app <ul><li>A6. Security Misconfiguration </li></ul><ul><li>A7. Insecure Cryptographic Storage </li></ul><ul><li>A8. Failure to Restrict URL Access </li></ul><ul><li>A9. Insufficient Transport Layer Protection </li></ul><ul><li>A10. Unvalidated Redirects and Forwards </li></ul>
    8. 8.   <ul><li>defensive vectors </li></ul><ul><li>drupal security team </li></ul>
    9. 9. <ul><li>writing secure code: SQL </li></ul><ul><li>http://drupal.org/writing-secure-code </li></ul><ul><li>drupal filters on output  </li></ul><ul><li>http://drupal.org/node/263002 </li></ul><ul><li>cross site scripting : using check_plain/markup. </li></ul><ul><li>http://drupal.org/node/101495 </li></ul><ul><li>handling user input : placeholders for t() , user input in forms. </li></ul><ul><li>http://drupal.org/node/28984 </li></ul><ul><li>check_plain() : api.drupal.org . </li></ul><ul><li>http://api.drupal.org/api/function/check_plain </li></ul><ul><li>     </li></ul>
    10. 10.   <ul><li>check_markup() at API.drupal.org. </li></ul><ul><li>http://api.drupal.org/api/function/check_markup </li></ul><ul><li>Cross Site Request Forgery - handle forms securely. </li></ul><ul><li>http://drupal.org/node/178896 </li></ul><ul><li>Safely impersonating another user. </li></ul><ul><li>http://drupal.org/node/218104 </li></ul><ul><li>Using eval() in Drupal. </li></ul><ul><li>http://drupal.org/node/715010 </li></ul><ul><li>db_rewrite_sql() - when to use and why. </li></ul><ul><li>http://drupal.org/node/93737 </li></ul><ul><li>     </li></ul>
    11. 11. <ul><li>how to deal...   </li></ul><ul><li>with an attack </li></ul>
    12. 12.   <ul><li>and </li></ul>
    13. 13.   <ul><li>...mitigate it's impact at infrastructure level? </li></ul><ul><li>   </li></ul>
    14. 14. well...  not really
    15. 15. it's a  dirty  fight
    16. 16. Dark mood
    17. 17. but there's hope ...
    18. 18. Sonata
    19. 19.   <ul><li>it's the server stupid </li></ul>
    20. 20. permitted HTTP methods <ul><li>GET </li></ul><ul><li>POST </li></ul><ul><li>HEAD </li></ul>
    21. 21.   <ul><li>tricky  methods </li></ul>
    22. 22. WebDAV   <ul><li>PUT </li></ul><ul><li>DELETE </li></ul>
    23. 23.   <ul><li>lethal  methods </li></ul>
    24. 24.   <ul><li>OPTIONS </li></ul><ul><li>CONNECT </li></ul><ul><li>TRACE </li></ul>
    25. 25.   <ul><li>allowed hosts </li></ul>
    26. 26.   <ul><li>don't allow  </li></ul><ul><li>a forged   </li></ul><ul><li>Host   </li></ul><ul><li>header </li></ul>
    27. 27.   <ul><li>information disclosure </li></ul>
    28. 28.   <ul><li>hide   </li></ul><ul><li>everything </li></ul>
    29. 29.   <ul><li>but who  </li></ul><ul><li>cares? </li></ul>
    30. 31.   <ul><li>the blind elephant is watching you </li></ul>
    31. 32.   <ul><li>defcon' 10 </li></ul><ul><li>http://blindelephant.sf.net </li></ul>
    32. 33.   <ul><li>and now for something completely </li></ul><ul><li>different  </li></ul>
    33. 35.   <ul><li>a shell script that wraps an AWK script and does some cleanup of your PHP configuration </li></ul><ul><li>php.ini </li></ul>
    34. 36.   <ul><li>this will be a drush </li></ul><ul><li>command in a nearby future. </li></ul><ul><li>https://github.com/perusio/php-ini-cleanup </li></ul>
    35. 37. Black Ops laying low
    36. 38. hunting like a black panther in the night
    37. 39. Aria
    38. 40.   <ul><li>DDoS & DoS prevention </li></ul>
    39. 41.   <ul><li>Limit the number of connections </li></ul><ul><li>Limit the size and </li></ul><ul><li>number of uploads  </li></ul><ul><li>& downloads </li></ul>
    40. 42.   <ul><li>limit the number of connections </li></ul><ul><li>with </li></ul><ul><li>limit zones </li></ul>
    41. 43.   <ul><li>in nginx </li></ul><ul><li>limit_zone uno $binary_remote_addr 1m; </li></ul><ul><li>location /uploads { </li></ul><ul><li>   limit_conn uno 1 ; # one connection </li></ul><ul><li>} </li></ul>
    42. 44.   <ul><li>D6 filefield </li></ul><ul><li>POST filefield/ahah (uploads) </li></ul><ul><li>location ~* filefield/ahah { </li></ul><ul><li>   limit_conn uno 1 ; # one connection </li></ul><ul><li>} </li></ul><ul><li>only one connection per IP is allowed </li></ul>
    43. 45.   <ul><li>D7 filefield in core </li></ul><ul><li>POST file/ajax (uploads) </li></ul><ul><li>location ~* file/ajax { </li></ul><ul><li>   limit_conn uno 2 ; # two connections </li></ul><ul><li>} </li></ul><ul><li>only two connections </li></ul><ul><li>per IP are allowed </li></ul>
    44. 46.   <ul><li>limit the number of requests per session or address </li></ul><ul><li>  </li></ul><ul><li>nginx  </li></ul><ul><li>HttpLimitReq   </li></ul><ul><li>module </li></ul>
    45. 47.   <ul><li>l </li></ul><ul><li>limit_req_zone $binary_remote_addr </li></ul><ul><li>zone= eins :10m rate 1r/s; </li></ul><ul><li>location /downloads/ { </li></ul><ul><li>limit_req zone= eins burst=5; </li></ul><ul><li>} </li></ul><ul><li>usually 1 req/s with a burst of 5 </li></ul>
    46. 48.   <ul><li>l </li></ul><ul><li>otherwise you get a </li></ul><ul><li>503 </li></ul><ul><li>Service Unavailable </li></ul>
    47. 49. The match fâites vos jeux
    48. 50. the rules of the Marquis of Queensbury apply  to this match
    49. 51. Chaconne
    50. 52.   <ul><li>slowloris </li></ul><ul><li>+ </li></ul><ul><li>DDoS </li></ul><ul><li>  </li></ul><ul><li>simulation live </li></ul>
    51. 54. Minuetto
    52. 55. There's so much stuff we had to left out
    53. 56. these for example <ul><ul><li>SSH for deployment and maintenance </li></ul></ul><ul><ul><li>SFTP for transfers, running services </li></ul></ul><ul><ul><li>FTP, smb shares, open ports  </li></ul></ul><ul><ul><li>telnet, remote desktop, VNC </li></ul></ul>
    54. 57. to be continued... somewhere over the rainbow
    55. 58.   <ul><li>perusio  </li></ul><ul><li>http://drupal.org/user/8859 </li></ul><ul><li>ricardoamaro </li></ul><ul><li>http://drupal.org/user/ 666 176 </li></ul><ul><li>both founders of the Associação Drupal Portugal </li></ul>
    56. 59.   <ul><li>become a member </li></ul><ul><li>http://drupal-pt.org/node/145 </li></ul><ul><li>                  Associação Drupal Portugal </li></ul>

    ×