• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mnescot cms security
 

Mnescot cms security

on

  • 366 views

 

Statistics

Views

Total Views
366
Views on SlideShare
366
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mnescot cms security Mnescot cms security Presentation Transcript

    • Start
    • Establishing IT Security Credibility & Expertise
    • But seriously…
    • CMS Security and Federal IT Requirements: Drupal vs. The Field Mike Nescot, JBS International
    • http://drupal.jbsinternational.com
    • Marketing Drupal
    • CMS Security: Expanding Complexity
    • CMS Security: Expanding Complexity
    • Comparison • Drupal (http://drupal.org) • Joomla (http://joomla.org) • WordPress (http://wordpress.org) • Liferay (http://liferay.org) • SharePoint (http://sharepoint.org)
    • Comparison Points • Code Repository • API Security • Security Management Model • Security Controls and Tools: FISMA
    • Repository • Drupal: Open Source, GIT, drupal.org • Joomla: Open Source, GIT, GitHub • Word Press: Open Source, git mirror of SVN on wordpress.org • SharePoint: Closed source, ?, TFS • Liferay: Open source community edition, GIT, GitHub
    • FreeBSD Compromise vs. Linux Kernel.org Compromise
    • API • Drupal: PHP, Procedural hook system > modularity: PSR2/Symfony • Joomla: PHP, design patterns-based, OO, MVC • WordPress: PHP, hook system (actions & filters) • SharePoint: #NET, server and client object model > app model & REST • Liferay: Java, JVM, internal and external api, portet, MVC portlet, JSF
    • API Security • Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig • Joomla: Filters (JRequest, JFactory::getDBO()) • WordPress: Filters (wp_filter_kses(),$wbdp) • Liferay: Security Manager: Portal Access Control List (PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity • SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
    • • Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation • Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal • Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS • SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow • Liferay (3): access bypass, XSS, DoS, directory traversal Vulnerabilities: NVD (3 years: high/medium)
    • WordPress Plugin Vulnerabilities • http://www.eweek.com/security/popular- wordpress-plugins-vulnerable-to-attack- checkmarx-research/
    • Security Mangement • Drupal: Security Team: Resolve issues, assist module maintainers, documentation, responsible disclosure, secure coding guide, full project review • Joomla: Joomla Security Team: vulnerable extension list, secure coding guide • WordPress: laissez-faire, data validation guide • SharePoint: Service packs, app review • Liferay: Security team (focused on core), open app marketplace
    • Open Source Community & Competition • Drupal and WordPress • Ease of Use vs. Power • Good Enough, Means to an End • Object-Oriented = Harder to Use • Risk Management Trade-Offs
    • Security Tools & Controls (FISMA) • Roles & Permissions (Access Controls) • Federated Identity & Multi-Factor Authentication • Vulnerability Assessment • Hardening • Continuous Monitoring • Hosting Platform & Environment
    • Roles & Permissions • Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB) • Joomla: Frontend & backend groups, administration area • WordPress: Roles and capabilities, admin area • SharePoint: SharePoint groups and roles, mapped to AD groups, site collection admins, elevated privileges • Liferay: Granular system built on JSR-286
    • Federated Identity & Multi-Factor Authentication • Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV • Joomla: OpenID, Oauth, SAML, yubikey, smartcards • Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo • Sharepoint: AD, LDAP, AD LDS, ADFS, claims- based identity, membership provider (AD) • Liferay: SSO (LDAP, OpenAM), OpenID
    • Vulnerability Assessment • Drupal: security review, coder/secure code review, dpscan • Joomla: Joomla OWASP scanner • WordPress: WP Security Scan • SharePoint: SharePoint Security Scanner • Liferay: Standard tools
    • Hardening • Drupal: Hardened Drupal, Guardr • Joomla: jHackGuard • WordPress: Integrated security plugins(Better WPSecurity, BulletProof Security), Secure WordPress • SharePoint: Secure installation: Kerberos • Liferay: Manual config guide • All: Environment-specific controls
    • Continuous Monitoring • Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash • Joomla: Jlog > syslog, commercial monitoring • WordPress: Integrated packages, commercial monitoring • SharePoint: Microsoft System Center, commercial packages • Liferay: Audit EE: DB or log4j > syslog
    • Hosting Platform & Environment • Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3 • Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3 • WordPress: LAMP: PHP 5.2, MySQL • SharePoint: Windows, IIS,SQL Server, Office 365 (FISMA cert), Azure, AWS, Rackspace • Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic JDBC(MySQL/Postgres) • Everything: > cloud (AWS, OpenStack,FedRamp),private cloud, SLA
    • D.Org Security Incident • Drupal.org compromised • Sophisticated DevOps Mgt • Third-party software breached: undisclosed
    • You Never Walk Alone With Drupal
    • Security Ninja
    • Thank You!!! Comments, Questions, Criticism? mnescot@jbsinternational.com http://drupal.jbsinternational.com