Have you ever heard: "HTTPS will slow down your site"? How about: "I'm too small of a website, no one will want to hack me."? All too often security misconceptions lead to security apathy. Join us as we debunk these security myths and more! We’ll start at the 10,000-foot level, reviewing common myths about secure development, then zoom in closer for a look at security best practices, concluding with a deep-dive into a few of the most effective attack mitigation strategies. With the battlescars to backup the information, our presenters will leave you with strategies to handle securing your project with confidence.

1. Defense in Depth
Lessons Learned Securing 200,000 Sites

2. Pantheon.io 2
Who Are We?
David Strauss
CTO, Pantheon
Chris Teitzel
CEO, Lockr
Luke Probasco
Drupal GM,
Townsend Security

3. Common Security Myths

4. 4
Top 5
1. There are five myths.
2. “There is a single most important
vector that I need to protect.”
3. “My website host or platform
handles security for me.”
4. “Tuning my CMS
for security is enough.”
5. “I can automate
my approach to security.”
6. “I’m too small to be a target.”
Myths of Website
Security

5. 5
Defense in Depth

6. Pantheon.io 6
OWASP Top 10 Most Critical Web Application
Security Risks
● Injection
● Weak authentication and session management
● XSS
● Insecure Direct Object References
● Security Misconfiguration
● Sensitive Data Exposure
● Missing Function Level Access Control
● Cross Site Request Forgery
● Using Components with Known Vulnerabilities
● Unvalidated Redirects and Forwards

7. 7
CIA Security Triad
● Confidentiality
● Integrity
● Availability

8. HTTPS Matters ● User Security
○ Passwords
○ Personal Information
○ Payment Data
● Browser Behavior
○ Gentle at first, then more alarming
● New and powerful features are HTTPS-only
○ Geolocation
○ Notifications
○ EME
○ Device Motion/Orientation
● It is not optional.
● But, HTTPS can undermine performance if
done without a good configuration and CDN.
8

9. Pantheon.io
PageRank Uses Time to First Byte (TTFB)
9
Source: “How Website Speed Actually Impacts Search Ranking,” Moz, 2013

10. The Path to First Byte RT RTT
10

11. HTTPS is best on a CDN
11
Visitor
NoCDN
OriginTCP Negotiation
TLS Negotiation
(Double RTT if Traditional TLS)
HTTP
...and so on for resources.
Visitor
FullCDN
Origin
...and so on for
resources.
POP
Cache Misses Use Persistent
Connection
It’s all about
the round trips.100-300ms RTT
10ms RTT 50-250ms RTT
TCP Negotiation
TLS Negotiation
HTTP

12. Pantheon.io
After Clicking, Load Times Affect Conversion
12
Source: “How Page Load Time Affects Conversion Rates: 12 Case Studies [Infographic],” HubSpot, 2017

13. The Path to First Paint
TTFB
Size
BW
CPU Time
13

14. Pantheon.ioPantheon.io
What’s Fast and What’s Slow with HTTPS
Solved Problems
● Negotiation CPU Overhead
● Active Connection CPU Overhead
● +2 Round Trips vs. HTTP (Initial)
○ Incurring this ✕6 with HTTP 1.1
● +1 Round Trip vs. HTTP (To Resume)
○ Incurring this ✕6 with HTTP 1.1
○ Will be solved with TLS 1.3 0-RTT
● +1 Round Trip vs. UDP
○ Will be solved with QUIC
Remaining Challenges
● +1 Round Trip vs. HTTP
○ May not be solvable
14

15. DDoS: A Growing Threat
Weigh this against other
availability risks.
● 73% More DDoS in 2016
● 2016 H1 Peak: 579 gbps
● 124k attacks/18 mo.
—Arbor Network Statistics
15

16. DDoS: A Growing Threat
Weigh this against other
availability risks.
16

17. Pantheon.ioPantheon.io
Authentication
Apache
with
SAML
Application
Software
● Authentication before
application
○ Do initial authentication at
the web server
○ ex. EDU using SAML to
authenticate before
accessing the site
○ Google Cloud Identity Aware
Proxy:
https://cloud.google.com/iap
17

18. Pantheon.io
Corporate Datacenter
Marketing
brochureware
site
Your entire
business
18

19. Pantheon.io
If users don’t need to set a password, they can’t pick a bad one.
19
Use Social and Enterprise Login

20. Key Management
Our review has shown that a threat actor obtained
access to a set of AWS keys and used them to
access the AWS API from an intermediate host with
another, smaller service provider in the US...
Through the AWS API, the actor created several
instances in our infrastructure to do
reconnaissance.
– OneLogin
20

21. 21
Key Management
Best Practice: Don’t share your API
keys with developers that don’t need
access to them. (aka the Principle of
Least Privilege)
Best Practice: User per-developer
and per-system keys

22. Pantheon.io
NIST Special Publication 800-122 defines PII
Examples:
22
What is Personally Identifiable Information (PII)?
Full name Credit card numbers
Home address Digital identity
Email address Date of birth
IP address Birthplace
Drivers license Telephone number
Login name, screen name, etc. Face, fingerprints, or handwriting

23. Pantheon.io 23
Data Encryption
● There is no native way to encrypt data
in Drupal or WordPress
● Compliance and risk management drive encryption
● Use encryption based on industry standards
● Use cryptographically strong keys - no passwords!
● See NIST Special Publication 800-57 for more info

24. Keep Up To Date
Most severe core
vulnerabilities have
automated exploits within
hours.
24

25. Choose Plugins Wisely
Look into the issue queues,
author’s history, number of
downloads, and your real
need for the feature.
25

26. Use Version Control
So that you know if your code
has been changed.
26

27. Pantheon.io 27
Securing Your Team
● Create policy bottlenecks/SSO
● Enforce 2FA, strong passwords
○ The cost of team password
management is less than a breach
○ Keybase.io for secure chat
● Secure devices (laptops/phones)
● Build security consciousness
○ It’s easier to turn a rowboat than the
Titanic

28. 28
When Things Go
Sideways
● Can you catch an error
before it becomes a crisis?
⎻ Monitoring and alerts
⎻ Team code reviews
● Backup, Revert, Build Again
⎻ Postmortem
⎻ Document your mistakes
⎻ Don’t blame, learn

29. Q&A