Drupal sec


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • heres the presentation from dries. you will note there is no security, it may be implit in many secuirty is one of the biggest marketing points for our clients.
  • drupal community it is better to learn from other communites, many trends start in java or ruby or python or other , rupal is symfony and wiht this we’d take a look at how drupal compares to some other cms open source and proprietary along a number of dimensions, not meant to be an exaustive comparison, or even that thse are a scientifficall, just a point of discussion. joomla and wordprss are commonly mentioned with drupal as comprisgint the big three cms. they are very difference in terms of audiecne an, but are often presented as compettiros, liferay is a javabased cms that we’ve run across, it is created by a commercial companh, but ther is a commuit offering. finally sharepoint, which is a microsfoft prodcut, microsof is moving into open source and jquery is a core part of ahrepoont and they have an intershinh app security modle.
  • first you think reppostitofy and where the code lies , easy to revie and test.
  • http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
  • drupal has a flexible but complex security m, install new permissions, workbehcn, many access bypass it an be difficutl to manage, shareponit has site collection, need to elevate permisions to have slution do something, word press site administrators, joomla separate admin stie
  • passwords are broken, we are moving to a two-factor auth system, challenging for a web application, oauth, openid
  • a key requirement is vulnerability assessment, security review moudle, secure coding
  • drupal can be configured to be quite secure password policy password complexity and expiration, login se
  • with fisma and the sans top 20 there is an emphais on continuous moniroting, to find out when something is wroing, there is aother source that has the log information auditing so that , drupal has a stroing auditign feature in watchoh, there are some who don’t run this in production becasue of the performancce hit. can be sent to syslog or mongodb. one of the newest is logstash, open source community splunk wide variety of formats, drupal logstach
  • Drupal sec

    1. 1. IT Security Cred ✦ https://youtube.googleapis.com/v/am3TmXm3doA?start=1&end=103.7&version=3&autoplay=1
    2. 2. Michael Nescot CMS Security Marketing: Drupal vs the field
    3. 3. Marketing Drupal
    4. 4. CMS Security:TheWideningFunnel
    5. 5. Comparison ✦ Drupal ✦ Joomla ✦ WordPress ✦ Liferay ✦ Sharepoint
    6. 6. Comparison Points ✦ Core Code Repository ✦ API Security ✦ Security Management Model ✦ Hosting Platform & Infrastructure ✦ Security Controls and Tools: FISMA
    7. 7. Repository ✦ Drupal: Open Source, GIT, drupal.org ✦ Joomla: Open Source, GIT, github ✦ Word Press: Open Source, git mirror of subbersion ✦ SharePoint: Closed source, ?, TFS ✦ Liferay: Open source, GIT, github
    8. 8. Free bsd compromise
    9. 9. API Drupal: PHP, Evolving from hook system (Symfony and Drupal 8, t checkplain, token for forms ✦ Joomla: Add-on: Design patterns based, OO, MVC: jquest, jobjec ✦ WordPress: Hook system, request and db filtering ✦ SharePoint: Server and client object model: moving to App model: REST: memory issues ✦ Liferay: Java, internal and external api accessspring framework, JSP, similary filtering hooks, local and remote invocation (JVM)
    10. 10. API Securtiy ✦ Drupal: s, checkplain, url, dbquery, ✦ Joomla: jfilter ✦ WordPress:
    11. 11. ✦ Drupal: cross site scripting, sql injection, access bypass, ✦ Joomla: cross site scripting, sql injection ✦ Word Press: sql injection, cross site scriptiong, cfsr ✦ SharePoint: memory leak ✦ Liferay: cross site scriptionb Vulnerabilities
    12. 12. WordPress Plugin Vulns ✦ http://www.checkmarx.com/wp-content/uploads/
    13. 13. Security Mangement ✦ Drupal: Security Team: notices, selective closure, work with developers to identify and fix, secure coding guide, module review ✦ Joomla: Joomla Security Team: vulnerable extension list, secure coding guide ✦ Word Press:lassiez faire, link to wp security from main sites ✦ SharePoint: Service packs ✦ Liferay: Security team, focused on core
    14. 14. Word Press Extensions
    15. 15. Hosting Platform ✦ Drupal: Apache/Nginx, caching,Mysql/Maria, alternatives, self-host, cloud, Fedramp ✦ Joomla: LAMP ✦ WordPress: Commercial hosting ✦ SharePoint: Office 365 (FISMA cert) Azure AWS, Rackspace ✦ Liferay: Selfhost
    16. 16. Security Tools & extensions ✦ Permissions ✦ Federated Identity & Authentication (two- factor auth) ✦ Vulnerabilty Assessment ✦ Hardening ✦ Continous Monitoring
    17. 17. Permissions✦ Drupal: Granlar seciryt, easy to create permissions: access from menu system, LDAP groups ✦ Joomla: RBC ✦ WordPress ✦ SharePoint: SharePoint groups and roles, mapped to ad groups, site collection admins, elevae ✦ Liferay: local
    18. 18. AuthenticationFederat ed Id ✦ Drupal: SAML, SMS, oauth, PIV, wikid ✦ Joomla: yubikey ✦ Wordpress ✦ Sharepoint: claims-based identity, membership provider (AD) ✦ Liferay
    19. 19. vuln assessment ✦ Drupal: security review, secure coding,dpscan ✦ Joomla: ✦ WordPress ✦ SharePoint ✦ Liferay:
    20. 20. Hardening ✦ Drupal: Linux extensions, Hardened Drupal, Guardr ✦ Joomla ✦ WordPress: ultimate securitymodule ✦ SharePoint: separation, kerberos ✦ Liferay
    21. 21. Continuous Monitoroing ✦ Drupal: Nagios, monitoring, mongob watchdog, OSSIM plugin, watchdog syslog, dblog, logstash ✦ Joomla: commercial monitoring ✦ WordPress: commercial monitoring ✦ SharePoint: System Center ✦ Liferay: commercial
    22. 22. Drupal security incident ✦ Drupal.org compromised ✦ sophisticated automated testing and deployment ✦ third party ✦ every system has multiple vulnerabilities
    23. 23. Security Rockstar