Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Drupal security - Configuration and process

1,859 views

Published on

"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen.

Co-prepared and co-presented with Ben Jeavons from Growing Venture Solutions (http://growingventuresolutions.com/)

Published in: Technology
  • Be the first to comment

Drupal security - Configuration and process

  1. 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  2. 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  3. 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  4. 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  5. 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  6. 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  7. 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  8. 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  9. 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  10. 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  11. 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  12. 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  13. 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  14. 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  15. 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  16. 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  17. 17. Tuesday, August 31, 2010
  18. 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  19. 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  20. 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  21. 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  22. 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  23. 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  24. 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  25. 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  26. 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  27. 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  28. 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  29. 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  30. 30. • Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
  31. 31. http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010

×