Drupal Security
                            Gábor Hojtsy & Ben Jeavons
                                                   ...
Who we are

                  •        Gábor Hojtsy             •   Ben Jeavons

                  •        Drupal 6 co-ma...
Web security

                    • Protecting resources from abuse
                    • Protecting data
                ...
Demo

                    • Malicious Javascript is entered
                    • Admin unknowingly executes
             ...
66%
                   likeliness a website has
                     Cross Site Scripting

                  http://whiteh...
Vulnerabilities by popularity
                                               12%


                                       ...
Lots of risks

                    • Prioritize your actions
                     • Secure configuration
                  ...
Smart configuration

                    • Control user input
                     • Input formats
                    • Tr...
Input formats


                    • Input formats control what happens when
                           user-supplied dat...
Input formats


                    • Filtered HTML for untrusted roles
                    • Full HTML for completely tru...
Filtered HTML

       •     HTML filter

             •     Limits the allowed tags




Tuesday, August 31, 2010
Unsafe HTML tags

                    • Script tags or any that allow JS events
                     • <script>
          ...
No image tags?!

                    • Image tags allow for CSRF attacks
                    • It’s a matter of trust
    ...
Trust

                    • Know your roles
                     • Which users have which roles
                    • How...
“Super-admin”
                                  permissions
                    •      Administer permissions

           ...
Trust


                    • Utilize principle of Least Privilege
                     • Grant only the necessary permiss...
Tuesday, August 31, 2010
Recovering from attack

                    • Restore from backup
                    • Upgrade to latest security release...
Backups

                    • You do have backups, don’t you?
                    • phpMyAdmin > Export
                 ...
Open source is secure

                    • Source code is open for people to look at
                    • Popularity me...
Drupal is secure


                    • Drupal APIs are designed to be secure
                    • http://drupal.org/wri...
Drupal security team

                    • Team of volunteers
                    • Support core and all(!) of contrib
  ...
Security Advisories

                    • Only stable project releases
                    • SAs on Wednesdays
          ...
Stay up-to-date

                    • Know about security updates
                     • Security Advisories
            ...
Security updates

                    • Most security updates are small
                     • But not always
            ...
FTP

                    • Do not use it!
                     • Common vector for attack
                     • Really, w...
SFTP

                    • “Secure” FTP
                     • Your host should provide it
                     • If not,...
SSL
                    • Run Drupal on full SSL
                    • Use securepages and
                           secu...
Security Review
                    • http://drupal.org/project/security_review
                    • File system permissi...
•      Security Advisories

                           •   http://drupal.org/security

                    •      Handbook...
http://cph2010.drupal.org/node/12628




Tuesday, August 31, 2010
Upcoming SlideShare
Loading in...5
×

Drupal security - Configuration and process

1,406

Published on

"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen.

Co-prepared and co-presented with Ben Jeavons from Growing Venture Solutions (http://growingventuresolutions.com/)

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,406
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Drupal security - Configuration and process"

  1. 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  2. 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  3. 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  4. 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  5. 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  6. 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  7. 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  8. 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  9. 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  10. 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  11. 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  12. 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  13. 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  14. 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  15. 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  16. 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  17. 17. Tuesday, August 31, 2010
  18. 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  19. 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  20. 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  21. 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  22. 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  23. 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  24. 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  25. 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  26. 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  27. 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  28. 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  29. 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  30. 30. • Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
  31. 31. http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×