The recent SA-CORE-2014-005 vulnerability has demonstrated that hackers have learnt how to take advantage of Drupal’s functionality to infect a site and go unnoticed. Site builders and site maintainers have a large role to play in preventing these kinds of disasters. Security doesn’t have to be a pain to implement and plan for.
The primary goal of this session is to give people a solid basis in the most common security issues so they can quickly identify those security issues. From there, we'll move into some other common pain-points of site builders like frequently made mistakes, modules to enhance security, and evaluating contributed module quality.
Drupal and security - Advice for Site Builders and Coders
1. Drupal and SecurityAdvice for Site Builders and Coders
Arunkumar Kuppuswamy
Software Engineer
Innoppl Technologies
arunkumar1.akk@gmail.com
Phone: +91 80986 41508
2. ● Security Vulnerabilities
● General Tips
● Server Environment
● Site Configurations
● Personal Practices
● Drupal Configuration
● Writing Custom Codes
Agenda
3. ● Drupal is an open-source CMS and or framework
● 2.2% of websites in Internet are running using
Drupal
● 3rd Popular CMS in world.
● Reliability
● Scalability
● A huge dedicated community
Why Drupal ?
7. - System flaw or weakness in an application
● Cross Site Scripting (XSS)
● Broken Authentication
● Gain Information / Privileges
● SQL Injection
● Bypass something
● CSRF
Security vulnerabilities
8. ● Cross Site Scripting
● Code in the browser
● Making requests
● Parsing responses
● Javascript, Flash, Java, etc.
What is XSS?
9. ● Filter text
● On output to browser
● As late as reasonable
● Some API filters where reasonable
● t() and Drupal::translation()->formatPlural()
with @text and %text placeholders
Fixing XSS?
10.
11. - User to access the system without going through
the security clearance
● User can see or do something
● That permissions/access should prevent
What is Access Bypass?
21. Unauthorized commands are transmitted from a user that
the website trusts.
● Path that does not confirm intent
● <img src="http://example.com/node/1/quickdelete" >
● Mostly in Form submissions
What is CSRF?
22. ● Use Form API: confirmation forms
● Send and validate tokens : Drupal::csrfToken()
● Using a secret cookie
● Multi-Step Transactions
● HTTPS
Fixing CSRF?
23. ● YAML route definition for a protected link
● Protected Ajax request
Fixing CSRF?
25. ● Roles and permissions
● Keep your site settings secure
○ Text formats
○ PHP module
○ PHP in other modules
Secure site configuration
26. ● File permissions: web server user forbidden to
change code
● PHP execution: restrict in .htaccess or Nginx
config
● Drupal handbook for securing your site
Secure site configuration
34. ● Use HTTPS, SSH, SFTP
● Strong password policy
● Server – LAMP stack
● Require SSH keys
● Take & verify your backups
○ Sanitize backups before sharing
General Tips
35. ● Drupal Security Team
○ Keep Drupal code secure in core and contrib
○ Educate the community on security best
practices
1. Developers
2. Site builders
3. Site administrators and users
4. Decision makers
○ Security Advisory for every security release
○ @drupalsecurityandSecurity Group
Security Process