Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security by design: An Introduction to Drupal Security


Published on

Security experts from Mediacurrent, Townsend Security and Lockr uncover how you can protect your site from the growing cybercrime business by starting off on the right foot. This interactive webinar will get you the foundation you need to protect your site and your organization when using Drupal.

Published in: Technology
  • Looking For A Job? Positions available now. FT or PT. $10-$30/hr. No exp required. ➤➤
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Security by design: An Introduction to Drupal Security

  1. 1. An Introduction to Drupal Security Security by Design:
  2. 2. Intros Chris Teitzel @technerdteitzel /in/christeitzel Chris has been working in Drupal for almost 8 years. During that time he has worked on projects spanning the globe in front-end design, e-commerce and security. His passion is for making technology accessible to all skillsets. Founder / CEO Lockr 2
  3. 3. Intros Luke Probasco Presenter Photo @geetarluke /in/lukeprobasco/ Manages Drupal business for Townsend Security. DrupalCon, Camp, and Summit speaker. Security professional. Music enthusiast. Drupal GM/Townsend Security 3
  4. 4. Intros Mark Shropshire (shrop) @shrop /in/markshropshire Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. He is also the maintainer of the Guardr Drupal security module suite. Mediacurrent Open Source Security Lead 4
  5. 5. Style Guide Contents Security by design in Drupal Encrypting sensitive data Key management (encryption & API)4 3 2 1 5 Site audit and security best practices Resources to improve security5 Style Guide6 Takeaways
  6. 6. Security by design in Drupal1
  7. 7. 7 Security by Design
  8. 8. 8 Compliance, Security, and You ● Data discovery ● PCI DSS, HIPAA, GDPR, etc. ● Hosting and compliance ● See your security team for internal policies and controls Security by Design
  9. 9. 9 Keep Drupal Secure ● Keep Core and contrib modules up to date ● Use Drupal API ● Use version control ● Use social and enterprise login ● Use secure passwords ● Two factor authentication ● Log and review logs (watchdog and additional contrib) ● Don’t forget about infrastructure security Security by Design
  10. 10. 10 Security in Custom Modules ● Never trust user input ○ Filter plain text with check_plain() or t() ○ Filter HTML with filter_xss() ● Query properly ○ Do not concatenate values into db_query() ○ Instead use parameterized values %s %d %f %b ● Do not output db values directly (don’t trust user input) ● Protect user input - think before you save Security by Design
  11. 11. Site audit and security best practices2
  12. 12. 12 What is an audit? ● Review by someone not on the team ○ (internal or external) ● Review of software systems ● Review of supporting infrastructure ● Review of other related systems Site audit and security best practices
  13. 13. 13 Performing an audit ● Collect data manually and with tools ○ Analyze the data ○ Prioritize findings ● Eliminate false positives ● Complete usable report(s) Site audit and security best practices
  14. 14. 14 OWASP Top 10 Most Critical Web Application Security Risks ● Injection ● Weak authentication and session management ● XSS ● Insecure Direct Object References ● Security Misconfiguration ● Sensitive Data Exposure ● Missing Function Level Access Control ● Cross Site Request Forgery ● Using Components with Known Vulnerabilities ● Unvalidated Redirects and Forwards Site audit and security best practices
  15. 15. 15 Drupal audit tools ● Drupal Core reports ● Site Audit ● Security Review ● Sensitive Data ● Hacked! ● Coder ● Review of site config, users, permissions, and roles ● Manual code review Site audit and security best practices
  16. 16. Encrypting sensitive data3
  17. 17. 17 Encrypting Data in Drupal ● There is no native way to encrypt data in Drupal ● Compliance and risk management drive encryption ● Use encryption based on industry standards ● Use cryptographically strong keys - no passwords! ● See NIST Special Publication 800-57 for more info Encrypting Sensitive Data
  18. 18. 18 What Encryption Should I Use? ● Use AES, RSA, Triple DES, or other standard methods ● Beware of non-standard encryption ● Example: Homomorphic Encryption ○ Has not received wide review and acceptance ○ Cannot be certified by a standards body ○ Cannot achieve FIPS 140-2 validation ○ Compliance regulations prohibit its use Encrypting Sensitive Data
  19. 19. Key management (encryption & API)4
  20. 20. 20 McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. Key Management
  21. 21. 21 Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US... Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. Key Management
  22. 22. 22 Payment Gateways Email Marketing SMTP Relays Authentication Shipping Cloud Providers Encryption APIs Key Management
  23. 23. Resources to improve security5
  24. 24. 24 Encryption Modules ● Encrypt ● FieldEncrypt ● Real AES ● Encrypt User ● Encrypted Files ● Webform Encrypt Resources to Improve Security
  25. 25. 25 Key Management Modules ● Key ● Townsend Security Key Connection ● Lockr Resources to Improve Security
  26. 26. 26 Guardr Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Resources to Improve Security
  27. 27. Takeaways6
  28. 28. Questions? Thank you! @Mediacurrent