Download to read offline
Uploaded byChris Ward
Drupal - Melbourne cryptoparty
Drupal is an open source content management system (CMS) that is released under the GNU General Public License and has a large developer community supporting it through distributions, modules, themes and consulting services. The document discusses Drupal's security features such as password hashing, session handling, and sanitization of user input to prevent vulnerabilities, as well as its privacy features including permissions and cookie compliance. It also promotes upcoming Drupal events in Melbourne and Sydney.
More Related Content
Similar to Drupal - Melbourne cryptoparty
Drupal - Melbourne cryptoparty
- 1. Drupal Cryptoparty, Melbourne 27thOct @chrischinch
- 2. Overview ‘Drupal’ is aTrademark Released under GPL license, as are all modules and themes Drupal distributions A healthy consultant / developer ecosystem Acquia and commercialisation
- 3. You’re in goodcompany…
- 4. Why use anOpen Source CMS? Freedom After a bit of work Especially with Drupal
- 5. Data in CSV, XML,RSS, JSON, KML, OP ML, RDF, SQL, SSO, Oauth, Op enID, Social Logins, phpBB, Joomla, Wordp ress, LiveJournal… And more!
- 6. Data Out… CSV, RSS,XML, JSON, TXT, Seri alize, Node Code MORE
- 7. Security process Open source SecurityTeam Most vulnerabilities, “Bad practice” drupalsecurityreport.org
- 8. Security Features Passwords Private keys Cookies/ Sessions Passwords never emailed Cross-site forgery / Scripting Data Sanitisation Database Abstraction Layer
- 9. Securing Disabling PHP Filters CheckHTML Filters Captcha / Mollom Status Report Error Logs
- 10. Privacy Basic user trackingby default Many other initial flaws slowly resolved Public & private fields Highly configurable permissions Cookies / EU compliance
- 11. More? Drupal Melbourne www.meetup.com/drupalmel bourne Australia’s first‘official’ Drupal Con Sydney, 6th Feb 2013
Editor's Notes
- #2 Demo
- #3 The Drupal trademark — i.e. the word "Drupal", whether or not in capitals — is owned and controlled by Dries Buytaert, who cooperates with the Drupal Association and local non-profit associations to foster the use of the Drupal software. You are required to apply for a license if you intend to use it your own business name, i.e. “Chris’s Drupal shop”, but generally you don’t need to apply if you’re just using the software.GPL, version 2 or later licenseMeans you are free to download, reuse, modify, and distribute any files hosted in Drupal.org'sGit repositories under the terms of either the GPL version 2 or version 3, and to run Drupal in combination with any code with any license that is compatible with either versions 2 or 3, such as the Affero General Public License (AGPL) version 3.Very few commercial themes or modules, much clearer than some other open source CMSs, though they can integrate wit commercial services.
- #4 Strange comparison I know…Very popular with government generally worldwide
- #7 Demo
- #8 Open Source is generally considered more secure though community collaboration and quicker identifying and solving of security issuesProfessional security audits of Drupal sites have generally found that the vast majority of security holes (90% or more) are present in the custom theme or modules written by that site's developers. That code did not get the same public scrutiny that all code on drupal.org receives.In addition, problems at the server level (such as using insecure protocols like FTP) are more likely to be the means of a successful attack than a vulnerability in Drupal - especially Drupal core.
- #9 Passwords stored as a 1 way hashPrivate keys for every installationSessions always destroyed, not modifiable. Unique to each installationUsernames and password always server sideForm API and input filters prevents CSFR / XSS
- #10 Local site demo
- #11 What you’ve viewed, counts etc…Deleting your own accountShow examples, permissions and fields (same screen)Core Drupal uses cookies, hard to turn off, but you can get EU compliance modules and not enable other modules such as analytics