Calibrate, profile picture
Uploaded byCalibrate
PDF, PPTX1,146 views

Drupal Security Seminar

The document discusses securing Drupal websites through best practices, addressing vulnerabilities, and outlining the responsibilities of security teams. It highlights the importance of community involvement and regular updates to address security issues, while providing guidelines on using the Drupal API securely. Additionally, it lists common vulnerabilities and emphasizes the need for secure configurations and continuous monitoring.

Technology
Related topics:
Secure Development

Embed presentation

Download as PDF, PPTX
WE MATCH FRONT SEAT TECHNOLOGY AND CREATIVITY TO MEET YOUR DIGITAL PROJECTS.
1  KEEP YOUR DRUPAL ENVIRONMENT SECURE 2  SECURE DEVELOPMENT & SECURE CONFIGURATION 3  ACQUIA ON DRUPAL SECURITY 4  IBM TIVOLI ACCESS MANAGEMENT AND DRUPAL AGENDA
DRUPAL SECURITY
WHY BOTHER? 1
ZAPPOS
LINKEDIN
SONYPLAYSTATIONNETWORK
WHYBOTHER? -  Privacy laws -  Exposure of private information -  Compliance with legislation / internal rules -  Risk of reputational damage -  Risk of direct/indirect economical damage
IS DRUPAL SECURE? 2
MANY EYES MAKE FOR SECURE CODE ISOPENSOURCESECURE? -  Security by obscurity -  Open code does not make it easier for hackers -  Open Source makes people look at it -  Popularity gets more eyes and more peer-reviews -  Not dependant on time-scale vendor Bad open-source software as bad as bad private software.
TOP 10 VULNERABILITIES OWASP -  Injection -  Cross Site Scripting - XSS -  Broken Authentication and Session Management -  Insecure Direct Object Reference -  Cross Site Request Forgery - CSRF -  Security Misconfguration -  Failure to Restrict URL Access -  Unvalidated Redirects and Forwards -  Insecure Cryptographic Storage -  Insuficient Transport Layer Protection
REPORTEDVULNERABILITIES
ISDRUPALSECURE? Drupal Architecture -  API is designed to be secure -  Contrib Modules > custom modules -  Best practices Build -  Secure Development -  Secure Configuration -  Audit Contrib Modules -  Code audit custom code -  Security Review DURING BUILD OF NEW DRUPAL WEBSITE
DURING LIFECYCLE DRUPAL WEBSITE ISDRUPALSECURE? Who’s checking Drupal -  Project maintainers -  Thousand of users -  Security Researchers -  Government organisations -  Private organisations Processes & Organisation -  Security Team -  Process for solving issues & releasing security updates -  Security Advisories -  Private Disclosure practice
KEEP YOUR DRUPAL WEBSITE SECURE 3
SECURITY IS A PROCESS NOT AN EVENT
WHO’SCHECKINGDRUPAL -  Project maintainers -  Thousand of users -  Security Researchers -  Government organisations -  Private organisations MANY EYES MAKE FOR SECURE CODE
UNIQUE FOR A OPEN SOURCE PROJECT SECURITYTEAM Task & Responsibilities -  Solve reported issues -  Assist contributors in solving issues -  Advise and provide documentation on secure development -  Advise and provide documentation on securing your Drupal website What’s supported -  Core Drupal 6 & 7 -  Contributed Modules Drupal 6 & 7
FROM REPORTED ISSUE TO SECURITY UPDATE ADRUPALSECURITYRELEASE
FOR CORE AND CONTRIBUTED MODULES PER YEAR SECURITYADVISORIES Year Core Contributed 2010 1 31 2009 8 115 2008 11 64 2007 11 21 2006 1 21 2005 7 2
YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE PRIVATEDISCLOSURE -  Vulnerability introduced into code -  Issue reported -  Maintainer is notified -  Maintainer fixes issue -  Review & Discussions with security team -  Security Advisory written -  Release and anounce -  Deployed in Drupal website FD PD
KNOW WHEN AN UPDATE IS NEEDED UPDATEMANAGER -  Check available updates -  Notifications -  Update through admin interface
SECURITY HEALTH CHECK SECURITYREVIEWMODULE
INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE STATUSMONITORING Tools -  Droptor.com (https://drupal.org/project/droptor) -  Acquia Insight (https://drupal.org/project/acquia_connector) -  Nagios (https://drupal.org/project/nagios) -  Drupalmonitor.com (https://drupal.org/project/drupalmonitor) -  …
BUILD A SECURE DRUPAL WEBISTE 4
CONTRIB
CONTRIBUTED MODULES Quality assurance -  Usage -  Number of open issues -  Closed/Open ratio -  Response time Good quality usually means good security Manual code reviews for less used modules
UPDATES Always stay up to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
PATCHES Contrib patches Read the entire issue Commit custom patches Help out Feedback from other users (maintainers) Patch might get commited Patch management Move module to patched Create a patches.txt Keep patches
CUSTOM
SECURITY PYRAMID Menu & Node Access Form API DB API Theme
CORRECT USE OF API Form api validation cache form_state drupal_valid_token DB api db_select, db_insert, placeholders $query->addTag('node_access') Filter tcheck_url, check_plain, check_markup, filter_xss (), l(), drupal_set_title()
CODE REVIEWS Coder module Manual reviews security_review module
THEMES
THEMES Themer not responsible Preprocess functions
CONFIGURATION
PERMISSIONS Permission management If Joe from advertising can give the full html filter format to anonymous user, don't bother to think about security Split up permissions The default permissions don't cover every use case
PERMISSIONS
FILTER FORMATS Never use full_html Use filtered_html instead. Never use phpfilter Use a custom module for code Versioning Bad performance (eval)
HACKS AND HOW TO PREVENT THEM
SQL INJECTION "SELECT * FROM user WHERE name = '$name'" "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'" http://xkcd.com/327/
SQL INJECTION Placeholders db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user); Dynamic Queries $query = db_select('user', 'u') ->fields('u') ->where('name', $user) ->execute();
XSS (cross site scripting) http://vimeo.com/15447718
XSS (cross site scripting) Validate forms User input should never contain javascript Form api Never use $_POST variables $form_state['values'] Form caching
XSS (cross site scripting) User Input Title Body Log message Url Post User-Agent Headers
XSS (cross site scripting) Input formats Never use full_html Filter Functions check_url() check_plain() check_markup() filter_xss()
XSS (cross site scripting) http://drupalscout.com/knowledge-base/drupal-text-filtering-cheat-sheet-drupal-6
XSS (cross site scripting) Functions t() l() drupal_set_title() @var => plain text %var => plain text !var => full html!
CSRF (cross site request forgery) Taking action without confirming intent <a href=”/delete/user/1”>Delete user 1</a> Image Tag <img src=”/delete/user/1”> A hacker posts a comment to the administrator. When the administrator views the image, user 1 gets deleted
CSRF (cross site request forgery) Token (aka Nonce)
ACCESS BYPASS View content a user is not supposed to $query = db_select('node', 'n')->fields('n'); Also shows nodes that user doesn't have acces to $query->addTag('node_access') Rewrite the query based on the node_access table
ACCESS BYPASS Bad custom caching Administrator visits a block listing nodes. The block gets cached The cached block with all nodes is shown to the anonymous user Add role id to custom caching
ACCESS BYPASS Rabbit_hole module Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Field access $form['#access'] = custom_access_callback(); Menu access $item['access callback'] = 'custom_access_callback',
CHECKLIST
CHECKLIST Permissions λ Trusted users only λ Split default permissions API λ Use Preprocess functions λ filter_xss, check_plain λ DB api λ Form api λ Tokens λ Menu/Node Access Never Use λ Full html λ Php filter
FURTHER READING
FURTHER READING Books Cracking Drupal Pro Drupal Development Online λ https://drupal.org/writing-secure-code λ https://drupal.org/node/360052 λ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html λ http://drupalscout.com/knowledge-base Video λ  How to avoid All your base are belong to us (drupalcon Denver)
SEND US A MESSAGE E-mail You can contact us at newmedia@calibrate.be Our address Veldkant 33A 2550 Kontich ONZE CONTACTINFORMATIE On the web www.calibrate.be linkedin.com/company/calibrate twitter.com/calibrators

More Related Content

PDF
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
byYandex
 
PDF
David Thiel - Secure Development On iOS
bySource Conference
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PDF
Is Drupal secure?
byFour Kitchens
 
PPT
Drupal security
byTechday7
 
PDF
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
PDF
Drupal and Security: What You Need to Know
byAcquia
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
byYandex
 
David Thiel - Secure Development On iOS
bySource Conference
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
Is Drupal secure?
byFour Kitchens
 
Drupal security
byTechday7
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
Drupal and Security: What You Need to Know
byAcquia
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 

What's hot

PDF
Iphone Presentation for MuMe09
byGonzalo Parra
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PDF
Abusing & Securing XPC in macOS apps
bySecuRing
 
PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
PDF
Attacking Drupal
byGreg Foss
 
PDF
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
PPT
Top Ten Web Application Defenses v12
byJim Manico
 
PPTX
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
PPTX
Top Ten Java Defense for Web Applications v2
byJim Manico
 
PPTX
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
Revue des annonces WWDC2015
byCocoaHeads France
 
PDF
Enterprise Single Sign-On - SSO
byOliver Mueller
 
ODP
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
PPTX
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
PDF
Are you botching the security of your AngularJS applications? (DevFest 2016)
byPhilippe De Ryck
 
PDF
Getting Single Page Application Security Right
byPhilippe De Ryck
 
Iphone Presentation for MuMe09
byGonzalo Parra
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
Abusing & Securing XPC in macOS apps
bySecuRing
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
Attacking Drupal
byGreg Foss
 
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
Top Ten Web Application Defenses v12
byJim Manico
 
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
Top Ten Java Defense for Web Applications v2
byJim Manico
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Revue des annonces WWDC2015
byCocoaHeads France
 
Enterprise Single Sign-On - SSO
byOliver Mueller
 
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
byPhilippe De Ryck
 
Getting Single Page Application Security Right
byPhilippe De Ryck
 

Viewers also liked

PPTX
Calibrate - Why Drupal?
byCalibrate
 
PDF
Calibrate presentation
byCalibrate
 
PDF
Hello drupal
byCalibrate
 
PDF
Tourist places in batticaloa
byMohamed Sajir
 
PDF
Leaseplan businesscase
byCalibrate
 
PDF
Ict final
bylesmanang
 
PDF
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
byBarry Feldman
 
Calibrate - Why Drupal?
byCalibrate
 
Calibrate presentation
byCalibrate
 
Hello drupal
byCalibrate
 
Tourist places in batticaloa
byMohamed Sajir
 
Leaseplan businesscase
byCalibrate
 
Ict final
bylesmanang
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
byBarry Feldman
 

Similar to Drupal Security Seminar

PDF
Drupal campleuven: Secure Drupal Development
bySteven Van den Hout
 
PDF
Doing Drupal security right
byGábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
PDF
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
PDF
Drupal security
byJozef Toth
 
ODP
Drupal Security Hardening
byGerald Villorente
 
ODP
Drupal Security Hardening
byGerald Villorente
 
KEY
Drupal Security Intro
byCash Williams
 
PDF
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 
PDF
Hong Kong Drupal User Group - Nov 8th
byWong Hoi Sing Edison
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
byAnn Lam
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
byAnn Lam
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
PPTX
Drupal Security: What You Need to Know
byMediacurrent
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
PDF
Drupal, lessons learnt from real world security incidents
bysydneydrupal
 
PDF
Understanding and Implementing Website Security
byDrew Gorton
 
PPT
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
Drupal campleuven: Secure Drupal Development
bySteven Van den Hout
 
Doing Drupal security right
byGábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
Drupal security
byJozef Toth
 
Drupal Security Hardening
byGerald Villorente
 
Drupal Security Hardening
byGerald Villorente
 
Drupal Security Intro
byCash Williams
 
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 
Hong Kong Drupal User Group - Nov 8th
byWong Hoi Sing Edison
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
byAnn Lam
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
byAnn Lam
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
Drupal Security: What You Need to Know
byMediacurrent
 
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
Drupal, lessons learnt from real world security incidents
bysydneydrupal
 
Understanding and Implementing Website Security
byDrew Gorton
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 

Recently uploaded

PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 

Drupal Security Seminar

  • 1.
    WE MATCH FRONT SEATTECHNOLOGY AND CREATIVITY TO MEET YOUR DIGITAL PROJECTS.
  • 2.
    1  KEEP YOURDRUPAL ENVIRONMENT SECURE 2  SECURE DEVELOPMENT & SECURE CONFIGURATION 3  ACQUIA ON DRUPAL SECURITY 4  IBM TIVOLI ACCESS MANAGEMENT AND DRUPAL AGENDA
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
    WHYBOTHER? -  Privacy laws - Exposure of private information -  Compliance with legislation / internal rules -  Risk of reputational damage -  Risk of direct/indirect economical damage
  • 9.
  • 10.
    MANY EYES MAKEFOR SECURE CODE ISOPENSOURCESECURE? -  Security by obscurity -  Open code does not make it easier for hackers -  Open Source makes people look at it -  Popularity gets more eyes and more peer-reviews -  Not dependant on time-scale vendor Bad open-source software as bad as bad private software.
  • 11.
    TOP 10 VULNERABILITIES OWASP - Injection -  Cross Site Scripting - XSS -  Broken Authentication and Session Management -  Insecure Direct Object Reference -  Cross Site Request Forgery - CSRF -  Security Misconfguration -  Failure to Restrict URL Access -  Unvalidated Redirects and Forwards -  Insecure Cryptographic Storage -  Insuficient Transport Layer Protection
  • 12.
  • 13.
    ISDRUPALSECURE? Drupal Architecture -  APIis designed to be secure -  Contrib Modules > custom modules -  Best practices Build -  Secure Development -  Secure Configuration -  Audit Contrib Modules -  Code audit custom code -  Security Review DURING BUILD OF NEW DRUPAL WEBSITE
  • 14.
    DURING LIFECYCLE DRUPALWEBSITE ISDRUPALSECURE? Who’s checking Drupal -  Project maintainers -  Thousand of users -  Security Researchers -  Government organisations -  Private organisations Processes & Organisation -  Security Team -  Process for solving issues & releasing security updates -  Security Advisories -  Private Disclosure practice
  • 15.
    KEEP YOUR DRUPALWEBSITE SECURE 3
  • 16.
    SECURITY IS APROCESS NOT AN EVENT
  • 17.
    WHO’SCHECKINGDRUPAL -  Project maintainers - Thousand of users -  Security Researchers -  Government organisations -  Private organisations MANY EYES MAKE FOR SECURE CODE
  • 18.
    UNIQUE FOR AOPEN SOURCE PROJECT SECURITYTEAM Task & Responsibilities -  Solve reported issues -  Assist contributors in solving issues -  Advise and provide documentation on secure development -  Advise and provide documentation on securing your Drupal website What’s supported -  Core Drupal 6 & 7 -  Contributed Modules Drupal 6 & 7
  • 19.
    FROM REPORTED ISSUETO SECURITY UPDATE ADRUPALSECURITYRELEASE
  • 22.
    FOR CORE ANDCONTRIBUTED MODULES PER YEAR SECURITYADVISORIES Year Core Contributed 2010 1 31 2009 8 115 2008 11 64 2007 11 21 2006 1 21 2005 7 2
  • 23.
    YOU’RE SAFE UNTILRELEASE SECURITY UPDATE PRIVATEDISCLOSURE -  Vulnerability introduced into code -  Issue reported -  Maintainer is notified -  Maintainer fixes issue -  Review & Discussions with security team -  Security Advisory written -  Release and anounce -  Deployed in Drupal website FD PD
  • 24.
    KNOW WHEN ANUPDATE IS NEEDED UPDATEMANAGER -  Check available updates -  Notifications -  Update through admin interface
  • 25.
  • 26.
    INSIGHT INTO HEALTHOF YOUR DRUPAL WEBSITE STATUSMONITORING Tools -  Droptor.com (https://drupal.org/project/droptor) -  Acquia Insight (https://drupal.org/project/acquia_connector) -  Nagios (https://drupal.org/project/nagios) -  Drupalmonitor.com (https://drupal.org/project/drupalmonitor) -  …
  • 30.
  • 31.
  • 32.
    CONTRIBUTED MODULES Quality assurance - Usage -  Number of open issues -  Closed/Open ratio -  Response time Good quality usually means good security Manual code reviews for less used modules
  • 33.
    UPDATES Always stay upto date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
  • 34.
    PATCHES Contrib patches Read theentire issue Commit custom patches Help out Feedback from other users (maintainers) Patch might get commited Patch management Move module to patched Create a patches.txt Keep patches
  • 35.
  • 36.
    SECURITY PYRAMID Menu &Node Access Form API DB API Theme
  • 37.
    CORRECT USE OFAPI Form api validation cache form_state drupal_valid_token DB api db_select, db_insert, placeholders $query->addTag('node_access') Filter tcheck_url, check_plain, check_markup, filter_xss (), l(), drupal_set_title()
  • 38.
    CODE REVIEWS Coder module Manualreviews security_review module
  • 39.
  • 40.
  • 41.
  • 42.
    PERMISSIONS Permission management If Joefrom advertising can give the full html filter format to anonymous user, don't bother to think about security Split up permissions The default permissions don't cover every use case
  • 43.
  • 44.
    FILTER FORMATS Never usefull_html Use filtered_html instead. Never use phpfilter Use a custom module for code Versioning Bad performance (eval)
  • 45.
    HACKS AND HOW TOPREVENT THEM
  • 46.
    SQL INJECTION "SELECT *FROM user WHERE name = '$name'" "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'" http://xkcd.com/327/
  • 47.
    SQL INJECTION Placeholders db_query(“SELECT *FROM users WHERE name = :user”, array(':user' => $user); Dynamic Queries $query = db_select('user', 'u') ->fields('u') ->where('name', $user) ->execute();
  • 48.
    XSS (cross sitescripting) http://vimeo.com/15447718
  • 49.
    XSS (cross sitescripting) Validate forms User input should never contain javascript Form api Never use $_POST variables $form_state['values'] Form caching
  • 50.
    XSS (cross sitescripting) User Input Title Body Log message Url Post User-Agent Headers
  • 51.
    XSS (cross sitescripting) Input formats Never use full_html Filter Functions check_url() check_plain() check_markup() filter_xss()
  • 52.
    XSS (cross sitescripting) http://drupalscout.com/knowledge-base/drupal-text-filtering-cheat-sheet-drupal-6
  • 53.
    XSS (cross sitescripting) Functions t() l() drupal_set_title() @var => plain text %var => plain text !var => full html!
  • 54.
    CSRF (cross siterequest forgery) Taking action without confirming intent <a href=”/delete/user/1”>Delete user 1</a> Image Tag <img src=”/delete/user/1”> A hacker posts a comment to the administrator. When the administrator views the image, user 1 gets deleted
  • 55.
    CSRF (cross siterequest forgery) Token (aka Nonce)
  • 56.
    ACCESS BYPASS View contenta user is not supposed to $query = db_select('node', 'n')->fields('n'); Also shows nodes that user doesn't have acces to $query->addTag('node_access') Rewrite the query based on the node_access table
  • 57.
    ACCESS BYPASS Bad customcaching Administrator visits a block listing nodes. The block gets cached The cached block with all nodes is shown to the anonymous user Add role id to custom caching
  • 58.
    ACCESS BYPASS Rabbit_hole module RabbitHole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Field access $form['#access'] = custom_access_callback(); Menu access $item['access callback'] = 'custom_access_callback',
  • 59.
  • 60.
    CHECKLIST Permissions λ Trusted users only λ Splitdefault permissions API λ Use Preprocess functions λ filter_xss, check_plain λ DB api λ Form api λ Tokens λ Menu/Node Access Never Use λ Full html λ Php filter
  • 61.
  • 62.
    FURTHER READING Books Cracking Drupal ProDrupal Development Online λ https://drupal.org/writing-secure-code λ https://drupal.org/node/360052 λ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html λ http://drupalscout.com/knowledge-base Video λ  How to avoid All your base are belong to us (drupalcon Denver)
  • 63.
    SEND US AMESSAGE E-mail You can contact us at newmedia@calibrate.be Our address Veldkant 33A 2550 Kontich ONZE CONTACTINFORMATIE On the web www.calibrate.be linkedin.com/company/calibrate twitter.com/calibrators