Mnescot cms security
Upcoming SlideShare
Loading in...5

Mnescot cms security






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Mnescot cms security Mnescot cms security Presentation Transcript

  • Start
  • Establishing IT Security Credibility & Expertise
  • But seriously… View slide
  • CMS Security and Federal IT Requirements: Drupal vs. The Field Mike Nescot, JBS International View slide
  • Marketing Drupal
  • CMS Security: Expanding Complexity
  • CMS Security: Expanding Complexity
  • Comparison • Drupal ( • Joomla ( • WordPress ( • Liferay ( • SharePoint (
  • Comparison Points • Code Repository • API Security • Security Management Model • Security Controls and Tools: FISMA
  • Repository • Drupal: Open Source, GIT, • Joomla: Open Source, GIT, GitHub • Word Press: Open Source, git mirror of SVN on • SharePoint: Closed source, ?, TFS • Liferay: Open source community edition, GIT, GitHub
  • FreeBSD Compromise vs. Linux Compromise
  • API • Drupal: PHP, Procedural hook system > modularity: PSR2/Symfony • Joomla: PHP, design patterns-based, OO, MVC • WordPress: PHP, hook system (actions & filters) • SharePoint: #NET, server and client object model > app model & REST • Liferay: Java, JVM, internal and external api, portet, MVC portlet, JSF
  • API Security • Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig • Joomla: Filters (JRequest, JFactory::getDBO()) • WordPress: Filters (wp_filter_kses(),$wbdp) • Liferay: Security Manager: Portal Access Control List (PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity • SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
  • • Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation • Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal • Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS • SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow • Liferay (3): access bypass, XSS, DoS, directory traversal Vulnerabilities: NVD (3 years: high/medium)
  • WordPress Plugin Vulnerabilities • wordpress-plugins-vulnerable-to-attack- checkmarx-research/
  • Security Mangement • Drupal: Security Team: Resolve issues, assist module maintainers, documentation, responsible disclosure, secure coding guide, full project review • Joomla: Joomla Security Team: vulnerable extension list, secure coding guide • WordPress: laissez-faire, data validation guide • SharePoint: Service packs, app review • Liferay: Security team (focused on core), open app marketplace
  • Open Source Community & Competition • Drupal and WordPress • Ease of Use vs. Power • Good Enough, Means to an End • Object-Oriented = Harder to Use • Risk Management Trade-Offs
  • Security Tools & Controls (FISMA) • Roles & Permissions (Access Controls) • Federated Identity & Multi-Factor Authentication • Vulnerability Assessment • Hardening • Continuous Monitoring • Hosting Platform & Environment
  • Roles & Permissions • Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB) • Joomla: Frontend & backend groups, administration area • WordPress: Roles and capabilities, admin area • SharePoint: SharePoint groups and roles, mapped to AD groups, site collection admins, elevated privileges • Liferay: Granular system built on JSR-286
  • Federated Identity & Multi-Factor Authentication • Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV • Joomla: OpenID, Oauth, SAML, yubikey, smartcards • Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo • Sharepoint: AD, LDAP, AD LDS, ADFS, claims- based identity, membership provider (AD) • Liferay: SSO (LDAP, OpenAM), OpenID
  • Vulnerability Assessment • Drupal: security review, coder/secure code review, dpscan • Joomla: Joomla OWASP scanner • WordPress: WP Security Scan • SharePoint: SharePoint Security Scanner • Liferay: Standard tools
  • Hardening • Drupal: Hardened Drupal, Guardr • Joomla: jHackGuard • WordPress: Integrated security plugins(Better WPSecurity, BulletProof Security), Secure WordPress • SharePoint: Secure installation: Kerberos • Liferay: Manual config guide • All: Environment-specific controls
  • Continuous Monitoring • Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash • Joomla: Jlog > syslog, commercial monitoring • WordPress: Integrated packages, commercial monitoring • SharePoint: Microsoft System Center, commercial packages • Liferay: Audit EE: DB or log4j > syslog
  • Hosting Platform & Environment • Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3 • Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3 • WordPress: LAMP: PHP 5.2, MySQL • SharePoint: Windows, IIS,SQL Server, Office 365 (FISMA cert), Azure, AWS, Rackspace • Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic JDBC(MySQL/Postgres) • Everything: > cloud (AWS, OpenStack,FedRamp),private cloud, SLA
  • D.Org Security Incident • compromised • Sophisticated DevOps Mgt • Third-party software breached: undisclosed
  • You Never Walk Alone With Drupal
  • Security Ninja
  • Thank You!!! Comments, Questions, Criticism?