Drupal security - Configuration and process

1,826 views

Published on

"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen.

Co-prepared and co-presented with Ben Jeavons from Growing Venture Solutions (http://growingventuresolutions.com/)

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,826
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Drupal security - Configuration and process

  1. 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  2. 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  3. 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  4. 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  5. 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  6. 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  7. 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  8. 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  9. 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  10. 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  11. 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  12. 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  13. 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  14. 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  15. 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  16. 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  17. 17. Tuesday, August 31, 2010
  18. 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  19. 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  20. 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  21. 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  22. 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  23. 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  24. 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  25. 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  26. 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  27. 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  28. 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  29. 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  30. 30. • Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
  31. 31. http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010

×