Mnescot cms security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Mnescot cms security

on

  • 482 views

 

Statistics

Views

Total Views
482
Views on SlideShare
482
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mnescot cms security Presentation Transcript

  • 1. Start
  • 2. Establishing IT Security Credibility & Expertise
  • 3. But seriously…
  • 4. CMS Security and Federal IT Requirements: Drupal vs. The Field Mike Nescot, JBS International
  • 5. http://drupal.jbsinternational.com
  • 6. Marketing Drupal
  • 7. CMS Security: Expanding Complexity
  • 8. CMS Security: Expanding Complexity
  • 9. Comparison • Drupal (http://drupal.org) • Joomla (http://joomla.org) • WordPress (http://wordpress.org) • Liferay (http://liferay.org) • SharePoint (http://sharepoint.org)
  • 10. Comparison Points • Code Repository • API Security • Security Management Model • Security Controls and Tools: FISMA
  • 11. Repository • Drupal: Open Source, GIT, drupal.org • Joomla: Open Source, GIT, GitHub • Word Press: Open Source, git mirror of SVN on wordpress.org • SharePoint: Closed source, ?, TFS • Liferay: Open source community edition, GIT, GitHub
  • 12. FreeBSD Compromise vs. Linux Kernel.org Compromise
  • 13. API • Drupal: PHP, Procedural hook system > modularity: PSR2/Symfony • Joomla: PHP, design patterns-based, OO, MVC • WordPress: PHP, hook system (actions & filters) • SharePoint: #NET, server and client object model > app model & REST • Liferay: Java, JVM, internal and external api, portet, MVC portlet, JSF
  • 14. API Security • Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig • Joomla: Filters (JRequest, JFactory::getDBO()) • WordPress: Filters (wp_filter_kses(),$wbdp) • Liferay: Security Manager: Portal Access Control List (PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity • SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
  • 15. • Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation • Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal • Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS • SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow • Liferay (3): access bypass, XSS, DoS, directory traversal Vulnerabilities: NVD (3 years: high/medium)
  • 16. WordPress Plugin Vulnerabilities • http://www.eweek.com/security/popular- wordpress-plugins-vulnerable-to-attack- checkmarx-research/
  • 17. Security Mangement • Drupal: Security Team: Resolve issues, assist module maintainers, documentation, responsible disclosure, secure coding guide, full project review • Joomla: Joomla Security Team: vulnerable extension list, secure coding guide • WordPress: laissez-faire, data validation guide • SharePoint: Service packs, app review • Liferay: Security team (focused on core), open app marketplace
  • 18. Open Source Community & Competition • Drupal and WordPress • Ease of Use vs. Power • Good Enough, Means to an End • Object-Oriented = Harder to Use • Risk Management Trade-Offs
  • 19. Security Tools & Controls (FISMA) • Roles & Permissions (Access Controls) • Federated Identity & Multi-Factor Authentication • Vulnerability Assessment • Hardening • Continuous Monitoring • Hosting Platform & Environment
  • 20. Roles & Permissions • Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB) • Joomla: Frontend & backend groups, administration area • WordPress: Roles and capabilities, admin area • SharePoint: SharePoint groups and roles, mapped to AD groups, site collection admins, elevated privileges • Liferay: Granular system built on JSR-286
  • 21. Federated Identity & Multi-Factor Authentication • Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV • Joomla: OpenID, Oauth, SAML, yubikey, smartcards • Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo • Sharepoint: AD, LDAP, AD LDS, ADFS, claims- based identity, membership provider (AD) • Liferay: SSO (LDAP, OpenAM), OpenID
  • 22. Vulnerability Assessment • Drupal: security review, coder/secure code review, dpscan • Joomla: Joomla OWASP scanner • WordPress: WP Security Scan • SharePoint: SharePoint Security Scanner • Liferay: Standard tools
  • 23. Hardening • Drupal: Hardened Drupal, Guardr • Joomla: jHackGuard • WordPress: Integrated security plugins(Better WPSecurity, BulletProof Security), Secure WordPress • SharePoint: Secure installation: Kerberos • Liferay: Manual config guide • All: Environment-specific controls
  • 24. Continuous Monitoring • Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash • Joomla: Jlog > syslog, commercial monitoring • WordPress: Integrated packages, commercial monitoring • SharePoint: Microsoft System Center, commercial packages • Liferay: Audit EE: DB or log4j > syslog
  • 25. Hosting Platform & Environment • Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3 • Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3 • WordPress: LAMP: PHP 5.2, MySQL • SharePoint: Windows, IIS,SQL Server, Office 365 (FISMA cert), Azure, AWS, Rackspace • Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic JDBC(MySQL/Postgres) • Everything: > cloud (AWS, OpenStack,FedRamp),private cloud, SLA
  • 26. D.Org Security Incident • Drupal.org compromised • Sophisticated DevOps Mgt • Third-party software breached: undisclosed
  • 27. You Never Walk Alone With Drupal
  • 28. Security Ninja
  • 29. Thank You!!! Comments, Questions, Criticism? mnescot@jbsinternational.com http://drupal.jbsinternational.com