Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding and Implementing Website Security

202 views

Published on

Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.

Points of discussion will include:

Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices. 
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.

Published in: Technology
  • Be the first to comment

Understanding and Implementing Website Security

  1. 1. W E B S I T E S E C U R I T Y U N D E R S TA N D I N G A N D I M P L E M E N T I N G https://flic.kr/p/8rvdmp
  2. 2. D R E W G O R T O N • Director of Agency and Community Outreach, Pantheon • Founder, Gorton Studios (2001) • Co-founder, NodeSquirrel (2012) • Drupal 4.4 (~2004) • Drupal Twin Cities • @dgorton
  3. 3. I S A D A N G E R O U S T H I N G W E B C O N T E N T M A N A G E M E N T
  4. 4. C O M M O N P L A C E D A TA B R E A C H E S A R E
  5. 5. S U R E LY N O T M E ? ! I ’ M S O T I N Y !
  6. 6. I S N O T B I N A RY W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
  7. 7. L E S S O N F R O M T H E R E A L W O R L D Safe Ratings • Time (5 minutes, 30 minutes, …) • Tools (hammer, drill, power saw, …) • People (skill, number, …) https://flic.kr/p/3yigw
  8. 8. I S A C O N T I N U U M W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
  9. 9. Perfect Security is a Myth https://flic.kr/p/4p9Vi
  10. 10. W I L L A LWAY S H AV E G A P S W E B S I T E S E C U R I T Y https://flic.kr/p/5d4nKx
  11. 11. T O D AY ’ S G O A L S • Understand Landscape • Have Fewer, Smaller Gaps • Better Preparedness • Examining Website Security in Layers
  12. 12. L AY E R S • Platform: Linux, Apache, MySQL, PHP … • Application: Drupal, WordPress… • Organizational: Habits, procedures, planning… https://flic.kr/p/dp3nGo
  13. 13. P L AT F O R M L AY E R • Linux • Apache • MySQL • PHP • Varnish • Redis • … https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?
  14. 14. Y O U D O N O T WA N T T H I S M O N K E Y * P L A T F O R M S E C U R I T Y: https://flic.kr/p/p8z6wN
  15. 15. D R U PA L H O S T I N G P L A T F O R M S E C U R I T Y: U S E H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G
  16. 16. N O T A L L H O S T I N G I S E Q U A L P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E
  17. 17. I N T H E R E A L W O R L D P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R
  18. 18. A B E T T E R WAY P L A T F O R M S E C U R I T Y: T H E R E I S
  19. 19. C H O O S E H O S T S W I S E LY How did you handle Heartbleed? How did you handle DrupalGeddon?
  20. 20. D R U PA L A P P L I C A T I O N L A Y E R https://flic.kr/p/9Vx4ra
  21. 21. D R U PA L I S F L E X I B L E • (Mis) Configuration • You can configure Drupal so that Anonymous Users can ____ • Upload images • Change files • Edit the homepage • Turn on modules • Change themes https://flic.kr/p/nze5Em
  22. 22. S E C U R E C O N F I G U R AT I O N • Secure User 1 • No simple passwords • Don’t share passwords across sites • Doesn’t have to be ‘admin’ • Permissions & Roles • Administer * is powerful • Administer filters can pwn site • No PHP (!!!) • Update module • Wednesdays are security releases • Turn it on. Get the notifications. Do them https://flic.kr/p/5pGcyx
  23. 23. D R U PA L M O D U L E S • Paranoia • Security Review • Permissions Lock • Secure Login • Hacked! • Password policy / Password strength • Two Factor Authentication
  24. 24. S E C U R I T Y T E A M • Drupal 7 & 8 Core + Contrib • Wednesdays are releases • Process & Procedure • Drupal 6 coverage available https://flic.kr/p/qFLhg
  25. 25. S E C U R E C O D I N G • https://www.drupal.org/ writing-secure-code • Doing Drupal Security Right - OWASP 10 and Drupal • Injection • XSS • CRSF https://flic.kr/p/3dvqhG
  26. 26. S Q L I N J E C T I O N S E C U R E C O D I N G http://xkcd.com/327/ db_query() https://www.drupal.org/node/101496

  27. 27. C R O S S S I T E S C R I P T I N G ( X S S ) • JavaScript to run browser actions in this website • Up to 64% of websites vulnerable • Use Filters! check_url(), check_plain(), filter_xss(), filter_xss_admin(), check_markup() • t() function • https://www.drupal.org/node/ 28984 https://flic.kr/p/5ALBHy
  28. 28. C R O S S - S I T E R E Q U E S T F O R G E RY ( C S R F O R X S R F ) • Actions on another site • <a href="http://bank.com/ transfer.do? acct=MARIA&amount=10000 ">View my Pictures!</a> • Forms API , drupal_get_token(), drupal_valid_token() • https://www.drupal.org/ node/178896 https://flic.kr/p/bSkp8r
  29. 29. P R O C E S S E S O R G A N I Z A T I O N L A Y E R https://flic.kr/p/5kaEda
  30. 30. S E C U R E N E T W O R K I N G • HTTPS / SSL • LetsEncrypt.org • CloudFlare • Others • SFTP (No FTP!) • Wireless Caution https://flic.kr/p/6v1J1m
  31. 31. S E C U R E C O D E M A N A G E M E N T • Use Version Control Software (VCS) like Git • Sanitize Data on transfer - drushcommands.com/ drush-8x/sql/sql-sanitize • Secure your Keys - https:// lockr.io https://flic.kr/p/9BkXKV
  32. 32. S E C U R E S U P P O R T • Catalog your sites • Wednesdays - be ready • Who is responsible? • Who helps them? • How do they escalate? • Emergency Procedures • Run the drill! https://flic.kr/p/rEwbwL
  33. 33. I N S U M M A RY • Use a secure (reliable, performant) Drupal host. • Configure Drupal carefully • Use Security-enhancing Drupal modules • Follow Drupal coding best practices • Use secure communications (HTTPS, SFTP, …) • Have secure code management habits • Have clear support practices and procedures
  34. 34. Q U E S T I O N S ? W E B S I T E S E C U R I T Y https://flic.kr/p/pqiJNt
  35. 35. H T T P S : / / J O I N D . I N / 1 7 2 7 5

×