SlideShare a Scribd company logo
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Verifying Drupal modules with OWASP ASVS 2014
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Media Sponsors
Silver Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll
be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be
vulnerable.
Intro
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this interactive workshop we'll be discussing and demonstrating basic and
advanced examples of the following vulnerabilities:

- Injection of various kinds 

(JavaScript, HTML, SQL, XML, etc)

- Missing Authentication or Authorization

- Cross Site Request Forgery (CSRF)

- Denial of Service

- Abuse of functionality

- Information Leakage

- and more.
A laptop with VirtualBox installed is advised.
Intro
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• 09:30 - 10:00 Setup & Theory
• 10:00 - 11:00 Auditing
• 11:00 - 11:30 Fixing
• 11:30 - 12:30 Break
• 12:30 - 13:00 Fixing
• 13:00 - 13:30 Presenting
Schedule
© Ibuildings 2014/2015 - All rights reserved
Setup
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• VirtualBox
• Vagrant
• https://github.com/ibuildingsnl/insecured7
InsecureD7
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova
• Shared folder
• /etc/fstab
• Host-only network
• Symlink: ln -sf src docroot/profiles/insecured7
Getting the VM up and running
© Ibuildings 2014/2015 - All rights reserved
Theory
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
level 1 level 2 level 3
chapter 1

1.1

1.2

1.3
X X
X
X
X
X
chapter 2

2.1

2.2

2.3
X

X


X
X

X
X
X

X
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Level 0 - Bullshit compliance level (0)
• Level 1 - Opportunistic (47)
• Level 2 - Standard (136)
• Level 3 - Advanced (164)
Level up!
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• V1. Authentication
• V2. Session Management
• V3. Access Control
• V4. Input Validation
• V5. Cryptography (at Rest)
• V6. Error Handling and Logging
• V7. Data Protection
ASVS Chapters
• V8. Communication Security
• V9. HTTP Security
• V10. Malicious Controls
• V11. Business Logic
• V12. Files and Resources
• V13. Mobile
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
V1.4. Verify that credentials and all other identity information handled by the application
does not traverse unencrypted or weakly encrypted links.
(level 1, 2 & 3)
An example
© Ibuildings 2014/2015 - All rights reserved
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Content-Security-Policy
• X-Frame-Options
• X-Content-Type-Options
• HTTP Strict Transport Security (HSTS)
Security Kit
http://ibuildings.nl/blog/2013/03/4-http-security-
headers-you-should-always-be-using
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Adds the 'modules-usages-status' (mus) Drush command.
Generate a CSV listing of all modules with their versions and associated usage counts.
This can be used as input into security auditing scope.
Drupal Security Tool Usage
© Ibuildings 2014/2015 - All rights reserved
Questions?
© Ibuildings 2014/2015 - All rights reserved
Auditting
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<?php
global $requirements;
$report = "";
do {
$requirement = array_pop ( $requirements ) ;
$audit_results = do_audit_with ( $requirement );
$report .= $audit_results;
$requirements[] = $requirement;
} while (time() < strtotime('2015-03-19 12:30:00 CET'))
auditing.php
© Ibuildings 2014/2015 - All rights reserved
Break
© Ibuildings 2014/2015 - All rights reserved
Fixing
© Ibuildings 2014/2015 - All rights reserved
© Ibuildings 2014/2015 - All rights reserved
Presenting
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
5 lucky participants will give a 5 minute presentation on their results from the audit and
fixing.
Presenting
© Ibuildings 2014/2015 - All rights reserved
The End

More Related Content

Similar to Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)

Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan WielengaCoding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
JAXLondon_Conference
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
The World Bank
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
VMware Tanzu
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Matt Stine
 

Similar to Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015) (20)

Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...Bridging the gap between business and technology - Behaviour Driven Developme...
Bridging the gap between business and technology - Behaviour Driven Developme...
 
A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)A Practical Introduction to Symfony (European Drupal Days 2015)
A Practical Introduction to Symfony (European Drupal Days 2015)
 
Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan WielengaCoding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)Drupal Continuous Integration (European Drupal Days 2015)
Drupal Continuous Integration (European Drupal Days 2015)
 
Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...
Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...
Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...
 
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLNetherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
 
Performance on a budget (European Drupal Days 2015)
Performance on a budget (European Drupal Days 2015)  Performance on a budget (European Drupal Days 2015)
Performance on a budget (European Drupal Days 2015)
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013
 
Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)Optimizing MariaDB for Web Applications (European Drupal Days 2015)
Optimizing MariaDB for Web Applications (European Drupal Days 2015)
 
Managing Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with PuppetManaging Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with Puppet
 
Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016
 
JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...
JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...
JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...
 
Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)Drupal for Big Data - is it ready? (European Drupal Days 2015)
Drupal for Big Data - is it ready? (European Drupal Days 2015)
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
 
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic RelationshipCloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship
 

More from Eugenio Minardi

More from Eugenio Minardi (20)

Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)Delphi and ExtJS (26 ottobre 2017)
Delphi and ExtJS (26 ottobre 2017)
 
ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)ExtJS: La piattaforma vincente (tools)
ExtJS: La piattaforma vincente (tools)
 
ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)ExtJS: La piattaforma vincente (multiple screens)
ExtJS: La piattaforma vincente (multiple screens)
 
ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)ExtJS: La piattaforma vincente (rich UI)
ExtJS: La piattaforma vincente (rich UI)
 
ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)ExtJS: La piattaforma vincente (class system)
ExtJS: La piattaforma vincente (class system)
 
ExtJS: La piattaforma vincente
ExtJS: La piattaforma vincenteExtJS: La piattaforma vincente
ExtJS: La piattaforma vincente
 
Distributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and AdvantagesDistributed Team Management: 
Pitfall, Challenges and Advantages
Distributed Team Management: 
Pitfall, Challenges and Advantages
 
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
UN World Food Programme Standards & Best Practises (European Drupal Days 2015)
 
Drupal theming - a practical approach (European Drupal Days 2015)
Drupal theming - a practical approach (European Drupal Days 2015)Drupal theming - a practical approach (European Drupal Days 2015)
Drupal theming - a practical approach (European Drupal Days 2015)
 
PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)PhpStorm for Drupal Development (European Drupal Days 2015)
PhpStorm for Drupal Development (European Drupal Days 2015)
 
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
Deploying an Open Source DAM in SAAS Mode (European Drupal Days 2015)
 
The multilingual Drupal 8 experience (European Drupal Days 2015)
The multilingual Drupal 8 experience (European Drupal Days 2015)The multilingual Drupal 8 experience (European Drupal Days 2015)
The multilingual Drupal 8 experience (European Drupal Days 2015)
 
Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...Another Copernican Revolution: maintenance first, projects second (European D...
Another Copernican Revolution: maintenance first, projects second (European D...
 
Drupal Security: How to survive Drupalgeddon and prepare for future (European...
Drupal Security: How to survive Drupalgeddon and prepare for future (European...Drupal Security: How to survive Drupalgeddon and prepare for future (European...
Drupal Security: How to survive Drupalgeddon and prepare for future (European...
 
The benefits of an elastic infrastructure on a Drupal e-commerce (European Dr...
The benefits of an elastic infrastructure on a Drupal e-commerce (European Dr...The benefits of an elastic infrastructure on a Drupal e-commerce (European Dr...
The benefits of an elastic infrastructure on a Drupal e-commerce (European Dr...
 
Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)Web automation with #d8rules (European Drupal Days 2015)
Web automation with #d8rules (European Drupal Days 2015)
 
Sponsorship Opportunities European Drupal Days & Dutch PHP Conference 2015
Sponsorship Opportunities European Drupal Days & Dutch PHP Conference 2015Sponsorship Opportunities European Drupal Days & Dutch PHP Conference 2015
Sponsorship Opportunities European Drupal Days & Dutch PHP Conference 2015
 
MongoDB: What, why, when
MongoDB: What, why, whenMongoDB: What, why, when
MongoDB: What, why, when
 
Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS Il Web orientato al futuro: Express, Angular e nodeJS
Il Web orientato al futuro: Express, Angular e nodeJS
 
MEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del webMEAN: il nuovo stack di sviluppo per il futuro del web
MEAN: il nuovo stack di sviluppo per il futuro del web
 

Recently uploaded

Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
ChloeMeadows1
 

Recently uploaded (14)

Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 

Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)

  • 1. © Ibuildings 2014/2015 - All rights reserved #DrupalDaysEU Verifying Drupal modules with OWASP ASVS 2014
  • 2. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
  • 3. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Media Sponsors Silver Sponsors
  • 4. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable. Intro
  • 5. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities:
 - Injection of various kinds 
 (JavaScript, HTML, SQL, XML, etc)
 - Missing Authentication or Authorization
 - Cross Site Request Forgery (CSRF)
 - Denial of Service
 - Abuse of functionality
 - Information Leakage
 - and more. A laptop with VirtualBox installed is advised. Intro
  • 6. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • 09:30 - 10:00 Setup & Theory • 10:00 - 11:00 Auditing • 11:00 - 11:30 Fixing • 11:30 - 12:30 Break • 12:30 - 13:00 Fixing • 13:00 - 13:30 Presenting Schedule
  • 7. © Ibuildings 2014/2015 - All rights reserved Setup
  • 8. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • VirtualBox • Vagrant • https://github.com/ibuildingsnl/insecured7 InsecureD7
  • 9. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova • Shared folder • /etc/fstab • Host-only network • Symlink: ln -sf src docroot/profiles/insecured7 Getting the VM up and running
  • 10. © Ibuildings 2014/2015 - All rights reserved Theory
  • 11. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
  • 12. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more level 1 level 2 level 3 chapter 1
 1.1
 1.2
 1.3 X X X X X X chapter 2
 2.1
 2.2
 2.3 X
 X 
 X X
 X X X
 X
  • 13. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Level 0 - Bullshit compliance level (0) • Level 1 - Opportunistic (47) • Level 2 - Standard (136) • Level 3 - Advanced (164) Level up!
  • 14. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • V1. Authentication • V2. Session Management • V3. Access Control • V4. Input Validation • V5. Cryptography (at Rest) • V6. Error Handling and Logging • V7. Data Protection ASVS Chapters • V8. Communication Security • V9. HTTP Security • V10. Malicious Controls • V11. Business Logic • V12. Files and Resources • V13. Mobile
  • 15. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) An example
  • 16. © Ibuildings 2014/2015 - All rights reserved
  • 17. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
  • 18. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Content-Security-Policy • X-Frame-Options • X-Content-Type-Options • HTTP Strict Transport Security (HSTS) Security Kit http://ibuildings.nl/blog/2013/03/4-http-security- headers-you-should-always-be-using
  • 19. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Adds the 'modules-usages-status' (mus) Drush command. Generate a CSV listing of all modules with their versions and associated usage counts. This can be used as input into security auditing scope. Drupal Security Tool Usage
  • 20. © Ibuildings 2014/2015 - All rights reserved Questions?
  • 21. © Ibuildings 2014/2015 - All rights reserved Auditting
  • 22. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <?php global $requirements; $report = ""; do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement; } while (time() < strtotime('2015-03-19 12:30:00 CET')) auditing.php
  • 23. © Ibuildings 2014/2015 - All rights reserved Break
  • 24. © Ibuildings 2014/2015 - All rights reserved Fixing
  • 25. © Ibuildings 2014/2015 - All rights reserved
  • 26. © Ibuildings 2014/2015 - All rights reserved Presenting
  • 27. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 5 lucky participants will give a 5 minute presentation on their results from the audit and fixing. Presenting
  • 28. © Ibuildings 2014/2015 - All rights reserved The End