• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Drupal sec
 

Drupal sec

on

  • 381 views

 

Statistics

Views

Total Views
381
Views on SlideShare
381
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • heres the presentation from dries. you will note there is no security, it may be implit in many secuirty is one of the biggest marketing points for our clients.
  • drupal community it is better to learn from other communites, many trends start in java or ruby or python or other , rupal is symfony and wiht this we’d take a look at how drupal compares to some other cms open source and proprietary along a number of dimensions, not meant to be an exaustive comparison, or even that thse are a scientifficall, just a point of discussion. joomla and wordprss are commonly mentioned with drupal as comprisgint the big three cms. they are very difference in terms of audiecne an, but are often presented as compettiros, liferay is a javabased cms that we’ve run across, it is created by a commercial companh, but ther is a commuit offering. finally sharepoint, which is a microsfoft prodcut, microsof is moving into open source and jquery is a core part of ahrepoont and they have an intershinh app security modle.
  • first you think reppostitofy and where the code lies , easy to revie and test.
  • http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
  • drupal has a flexible but complex security m, install new permissions, workbehcn, many access bypass it an be difficutl to manage, shareponit has site collection, need to elevate permisions to have slution do something, word press site administrators, joomla separate admin stie
  • passwords are broken, we are moving to a two-factor auth system, challenging for a web application, oauth, openid
  • a key requirement is vulnerability assessment, security review moudle, secure coding
  • drupal can be configured to be quite secure password policy password complexity and expiration, login se
  • with fisma and the sans top 20 there is an emphais on continuous moniroting, to find out when something is wroing, there is aother source that has the log information auditing so that , drupal has a stroing auditign feature in watchoh, there are some who don’t run this in production becasue of the performancce hit. can be sent to syslog or mongodb. one of the newest is logstash, open source community splunk wide variety of formats, drupal logstach

Drupal sec Drupal sec Presentation Transcript

  • IT Security Cred ✦ https://youtube.googleapis.com/v/am3TmXm3doA?start=1&end=103.7&version=3&autoplay=1
  • Michael Nescot CMS Security Marketing: Drupal vs the field
  • Marketing Drupal
  • CMS Security:TheWideningFunnel
  • Comparison ✦ Drupal ✦ Joomla ✦ WordPress ✦ Liferay ✦ Sharepoint
  • Comparison Points ✦ Core Code Repository ✦ API Security ✦ Security Management Model ✦ Hosting Platform & Infrastructure ✦ Security Controls and Tools: FISMA
  • Repository ✦ Drupal: Open Source, GIT, drupal.org ✦ Joomla: Open Source, GIT, github ✦ Word Press: Open Source, git mirror of subbersion ✦ SharePoint: Closed source, ?, TFS ✦ Liferay: Open source, GIT, github
  • Free bsd compromise
  • API Drupal: PHP, Evolving from hook system (Symfony and Drupal 8, t checkplain, token for forms ✦ Joomla: Add-on: Design patterns based, OO, MVC: jquest, jobjec ✦ WordPress: Hook system, request and db filtering ✦ SharePoint: Server and client object model: moving to App model: REST: memory issues ✦ Liferay: Java, internal and external api accessspring framework, JSP, similary filtering hooks, local and remote invocation (JVM)
  • API Securtiy ✦ Drupal: s, checkplain, url, dbquery, ✦ Joomla: jfilter ✦ WordPress:
  • ✦ Drupal: cross site scripting, sql injection, access bypass, ✦ Joomla: cross site scripting, sql injection ✦ Word Press: sql injection, cross site scriptiong, cfsr ✦ SharePoint: memory leak ✦ Liferay: cross site scriptionb Vulnerabilities
  • WordPress Plugin Vulns ✦ http://www.checkmarx.com/wp-content/uploads/
  • Security Mangement ✦ Drupal: Security Team: notices, selective closure, work with developers to identify and fix, secure coding guide, module review ✦ Joomla: Joomla Security Team: vulnerable extension list, secure coding guide ✦ Word Press:lassiez faire, link to wp security from main sites ✦ SharePoint: Service packs ✦ Liferay: Security team, focused on core
  • Word Press Extensions
  • Hosting Platform ✦ Drupal: Apache/Nginx, caching,Mysql/Maria, alternatives, self-host, cloud, Fedramp ✦ Joomla: LAMP ✦ WordPress: Commercial hosting ✦ SharePoint: Office 365 (FISMA cert) Azure AWS, Rackspace ✦ Liferay: Selfhost
  • Security Tools & extensions ✦ Permissions ✦ Federated Identity & Authentication (two- factor auth) ✦ Vulnerabilty Assessment ✦ Hardening ✦ Continous Monitoring
  • Permissions✦ Drupal: Granlar seciryt, easy to create permissions: access from menu system, LDAP groups ✦ Joomla: RBC ✦ WordPress ✦ SharePoint: SharePoint groups and roles, mapped to ad groups, site collection admins, elevae ✦ Liferay: local
  • AuthenticationFederat ed Id ✦ Drupal: SAML, SMS, oauth, PIV, wikid ✦ Joomla: yubikey ✦ Wordpress ✦ Sharepoint: claims-based identity, membership provider (AD) ✦ Liferay
  • vuln assessment ✦ Drupal: security review, secure coding,dpscan ✦ Joomla: ✦ WordPress ✦ SharePoint ✦ Liferay:
  • Hardening ✦ Drupal: Linux extensions, Hardened Drupal, Guardr ✦ Joomla ✦ WordPress: ultimate securitymodule ✦ SharePoint: separation, kerberos ✦ Liferay
  • Continuous Monitoroing ✦ Drupal: Nagios, monitoring, mongob watchdog, OSSIM plugin, watchdog syslog, dblog, logstash ✦ Joomla: commercial monitoring ✦ WordPress: commercial monitoring ✦ SharePoint: System Center ✦ Liferay: commercial
  • Drupal security incident ✦ Drupal.org compromised ✦ sophisticated automated testing and deployment ✦ third party ✦ every system has multiple vulnerabilities
  • Security Rockstar