An EnterpriseApproach to Drupal     Security
Help! I need to secure my Drupal site! How do I assure trust in Open Source software? Will I need a new set of processes a...
Myths of Drupal Security PHP is less secure than ... Open Source is easier to attack Lack of resources such documentation ...
Myths of Drupal Security PHP is less secure than ...   PHP is as or more secure Open Source is easier to      than other a...
Myths of Drupal Security PHP is less secure than ...   PHP is as or more secure Open Source is easier to      than other a...
Myths of Drupal Security PHP is less secure than ...   PHP is as or more secure Open Source is easier to      than other a...
Myths of Drupal & Open Source Security PHP is less secure than ...   PHP is as or more secure Open Source is easier to    ...
Myths of Drupal & Open Source Security PHP is less secure than ...   PHP is as or more secure Open Source is easier to    ...
Components of successful security Clear system boundaries A thorough risk analysis Security controls that map to the risks...
Clear System Boundaries  Limits the scope of  the system that you  are validating  Apply controls only to  the elements un...
A thorough risk analysis  Code analysis for all  custom code  Theming focus  Penetration testing  Vulnerability  assessmen...
Developing the right controls Don’t over engineer your controls Leverage your existing policies & procedures Focus on the ...
Security controls  Types    Preventative    Detective    Corrective    Recovery  Domains    Administrative    Logical    P...
Firewalls One layer of defense, preventative logical control Configuration management Outgoing as well as incoming ACLs! Li...
Intrusion Detection Logical Detective control Rules must be up to date Configuration is key; must be able to see the traffi...
Validation of controls  Identify they have  been implemented  Develop testing for  each control deployed  Document pass/fa...
Remediation plan  Plan of Action:    You don’t need to    address every risk    you identify    Some will be    acceptable...
Tools and Processes  Integrate reviews early  in your system lifecycle  Use a mix of tools to  validate your controls    C...
Coding Standards  Start with the Drupal  community standards  Use Drupal APIs to  avoid common risks  Establish your own  ...
Code Analysis  Ensure strict API  syntactical adherence  Review all custom code  from security  perspective  Hook to valid...
Functional Tests  Application process  testing  Usual suspects:    Forms    Fields    Variable handling    App-Server trust
Scanners  Signature based  detection of  vulnerabilities  False positives  Documentation of all  valid results  Examples: ...
Fuzzers  Bombard your app with  possible data  submissions  Find strings that break  app  Fix your app
A collaborative approach to security Incorporate security expertise into your development team Collaborate on controls and...
Take advantage of available support Community security patches and bulletins   Clear processes for   addressing   vulnerab...
Bringing the process to completion Verify Review   Fix those errors! Finalize   Get sign off by   process owners Submit   ...
Completing the process Launch Follow your plan to remediate issues and acceptable risks Maintain your controls Ensure comp...
What did you think?                 Step 1)  Locate this session on the DCSF site http://sf2010.drupal.org/conference/    ...
Upcoming SlideShare
Loading in …5
×

An enterprise approach to drupal security

2,282 views

Published on

Presentation given with Jason Ingalls at Drupalcon San Francisco in 2010.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,282
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • An enterprise approach to drupal security

    1. 1. An EnterpriseApproach to Drupal Security
    2. 2. Help! I need to secure my Drupal site! How do I assure trust in Open Source software? Will I need a new set of processes and controls? What resources are available to me? © 2009 Acquia, Inc.
    3. 3. Myths of Drupal Security PHP is less secure than ... Open Source is easier to attack Lack of resources such documentation and versioning information for Open Source  There aren’t a lot of security resources available Security starts at the Drupal software © 2009 Acquia, Inc.
    4. 4. Myths of Drupal Security PHP is less secure than ... PHP is as or more secure Open Source is easier to than other available attack dynamic web engines out Lack of resources such there. Security is a documentation and process, not a product. versioning information for Open Source There aren’t a lot of security resources © 2009 Acquia, Inc.
    5. 5. Myths of Drupal Security PHP is less secure than ... PHP is as or more secure Open Source is easier to than other available attack dynamic web engines out Lack of resources such there documentation and Open Source means versioning information for massive collaboration, Open Source high visibility, and a large There aren’t a lot of pool of resources for security resources available Security starts at the Drupal software © 2009 Acquia, Inc.
    6. 6. Myths of Drupal Security PHP is less secure than ... PHP is as or more secure Open Source is easier to than other available attack dynamic web engines out Lack of resources such there documentation and Open Source means versioning information for massive collaboration, Open Source high visibility, and a large There aren’t a lot of pool of resources for security resources vulnerability discovery and available remediation.  Security starts at the Documentation exists for Drupal software Open Source in many different forms © 2009 Acquia, Inc.
    7. 7. Myths of Drupal & Open Source Security PHP is less secure than ... PHP is as or more secure Open Source is easier to than other available attack dynamic web engines out Lack of resources such there documentation and Open Source means versioning information for massive collaboration, Open Source high visibility, and a large There aren’t a lot of pool of resources for security resources vulnerability discovery and available remediation.  Security starts at the Documentation exists for Drupal software Open Source in many different forms Publications from government and commercial sources © 2009 Acquia, Inc.
    8. 8. Myths of Drupal & Open Source Security PHP is less secure than ... PHP is as or more secure Open Source is easier to than other available attack dynamic web engines out Lack of resources such there documentation and Open Source means versioning information for massive collaboration, Open Source high visibility, and a large There aren’t a lot of pool of resources for security resources vulnerability discovery and available remediation.  Security starts at the Documentation exists for Drupal software Open Source in many different forms Publications from government and commercial sources © 2009 Acquia, Inc.
    9. 9. Components of successful security Clear system boundaries A thorough risk analysis Security controls that map to the risks you identify Validation of all of your controls A plan to remediate open issues and mitigate acceptable risks © 2009 Acquia, Inc.
    10. 10. Clear System Boundaries Limits the scope of the system that you are validating Apply controls only to the elements under validation Leverage previously secured components and infrastructure
    11. 11. A thorough risk analysis Code analysis for all custom code Theming focus Penetration testing Vulnerability assessment Gap Analysis
    12. 12. Developing the right controls Don’t over engineer your controls Leverage your existing policies & procedures Focus on the entire system Define validation plans in parallel with controls Take advantage of the Drupal community
    13. 13. Security controls Types Preventative Detective Corrective Recovery Domains Administrative Logical Physical
    14. 14. Firewalls One layer of defense, preventative logical control Configuration management Outgoing as well as incoming ACLs! Limit management access to single IP or fewest possible, SSH not Telnet
    15. 15. Intrusion Detection Logical Detective control Rules must be up to date Configuration is key; must be able to see the traffic Vendor specific solutions provide a variety of options for action
    16. 16. Validation of controls Identify they have been implemented Develop testing for each control deployed Document pass/fail status of each control
    17. 17. Remediation plan Plan of Action: You don’t need to address every risk you identify Some will be acceptable for launch Remediation change management Validate remediation
    18. 18. Tools and Processes Integrate reviews early in your system lifecycle Use a mix of tools to validate your controls Coding standards Code analysis Functional tests Scanners Fuzzers Leverage available information
    19. 19. Coding Standards Start with the Drupal community standards Use Drupal APIs to avoid common risks Establish your own standards to further secure your code Watch adjacent communities for best practices
    20. 20. Code Analysis Ensure strict API syntactical adherence Review all custom code from security perspective Hook to validation testing Any variance should be documented
    21. 21. Functional Tests Application process testing Usual suspects: Forms Fields Variable handling App-Server trust
    22. 22. Scanners Signature based detection of vulnerabilities False positives Documentation of all valid results Examples: Websecurify Skipfish Grendel-scan
    23. 23. Fuzzers Bombard your app with possible data submissions Find strings that break app Fix your app
    24. 24. A collaborative approach to security Incorporate security expertise into your development team Collaborate on controls and remediation Include security activities in your project milestones Address security issues with each development iteration
    25. 25. Take advantage of available support Community security patches and bulletins Clear processes for addressing vulnerabilities Commercial vendors Formal channels to report and resolve issues Guaranteed levels of response Addresses many of the concerns of security professionals
    26. 26. Bringing the process to completion Verify Review Fix those errors! Finalize Get sign off by process owners Submit Maintain records
    27. 27. Completing the process Launch Follow your plan to remediate issues and acceptable risks Maintain your controls Ensure compliance Perform reviews
    28. 28. What did you think? Step 1) Locate this session on the DCSF site http://sf2010.drupal.org/conference/ schedule Step 2) Click the “Take Survey” link

    ×