Drupal security - Configuration and process
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Drupal security - Configuration and process

  • 1,618 views
Uploaded on

"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen. ...

"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen.

Co-prepared and co-presented with Ben Jeavons from Growing Venture Solutions (http://growingventuresolutions.com/)

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,618
On Slideshare
1,618
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  • 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  • 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  • 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  • 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  • 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  • 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  • 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  • 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  • 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  • 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  • 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  • 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  • 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  • 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  • 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  • 17. Tuesday, August 31, 2010
  • 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  • 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  • 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  • 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  • 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  • 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  • 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  • 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  • 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  • 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  • 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  • 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  • 30. • Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
  • 31. http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010