Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks. We will cover: Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures) Familiarity with your hosting platform’s security-related practices. Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.) Understanding how security concerns are handled for core and contrib. Clarifying support responsibilities and procedures so that security fixes are applied quickly. Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8. Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target

1. Understanding and
Implementing Website Security

2. Pantheon.io
Hi, I’m Drew Gorton
● Director of Agency and Community
Outreach, Pantheon
● Founder, Gorton Studios (2001)
● Co-founder, NodeSquirrel (2012)
● Drupal 4.4 (~2004)
● Drupal Twin Cities
● @dgorton
● drew@pantheon.io

3. Web CMS is Risky
The Elephant in the Room
● Web Content Management is
inherently dangerous
● Connected to the internet
● Edited via the internet
3

4. Data Breaches
Have Become Commonplace
4
● http://www.informationisbeautif
ul.net/visualizations/worlds-big
gest-data-breaches-hacks/
●

5. I’m So Tiny!
Surely not me?
● You are a target
● You have:
Computing power
Access to nearby systems
Visitors with vulnerable browsers
Information
PII? Transactions? Donations?
● Robots don’t care
5

6. Website Security
Is Not Binary
● Not On or Off
● “Is my website secure?”
not a Yes / No question
6https://flic.kr/p/h4TA84

7. Website Security
Lessons from the Real World
Safe Ratings
● Time (5 mins, 30 mins, …)
● Tools (hammer, drill, power, …)
● People (skill, number, …)
7https://flic.kr/p/5GPgE1

8. Website Security
Is a Continuum
● Perfect security is a myth
● There will always be gaps
● Be prepared
8

9. Today’s Goals
Our Agenda
● Understand Landscape
● Have Fewer, Smaller Gaps
● Better Preparedness
● Looking at Layers of Security
9https://flic.kr/p/5d4nKx

10. Our Layers
Drupal is Just One Piece ● Platform
Linux, Apache, MySQL, PHP …
● Application
Drupal, WordPress…
● Organizational
Habits, procedures, planning…
10https://flic.kr/p/dp3nGo

11. Platform Layer
The Stack Drupal Uses
● Linux
● Apache / NGINX
● MySQL / MariaDB
● PHP
● Varnish
● Memcached / Redis
● Solr
● …
● http://www.linuxsecurity.com
11https://flic.kr/p/mmgwkx

12. You Do Not Want This Monkey*
12
https://flic.kr/p/p8z6wN

13. Use Drupal Hosting
13
https://www.drupal.org/hosting

14. Buyer Beware
14
Not All Hosting Is Equal

15. Traditional Hosting
15
Even Messier in the Real World

16. Platform Security
16
There is a Better Way

17. 17
How did you handle Heartbleed?
How did you handle DrupalGeddon?
Choose Hosts Wisely

18. Application Layer
Security in Drupal
● Configuration
● Modules
● Security Team and Procedures
● Coding Best Practices
18https://flic.kr/p/9Vx4ra

19. Flexibility
Drupal’s Great Strength and Weakness
● (Mis) Configuration
● True or False?
● You can configure Drupal so that
Anonymous Users can ____
Upload images
Change files
Edit the homepage
Turn on modules
Change themes
19https://flic.kr/p/nze5Em

20. Secure Configuration
The Most Important Thing You Can Do
● Secure User 1
No simple passwords
Don’t share passwords across sites
Doesn’t have to be ‘admin’
● Permissions & Roles
Administer * is powerful
Administer filters can pwn site
● No PHP (!!!)
● Update module
Wednesdays are security releases
Turn it on. Get the notifications. Do
them
20https://flic.kr/p/5pGcyx

21. Drupal Modules
Improving Security with Contrib ● Password Policy and Password Strength
● Security Review
● Security Kit (Seckit)
● Hacked!
● Paranoia
● Permissions Lock
● Login Security
● Automated Logout
● Two Factor Authentication
21https://flic.kr/p/5d4nKx

22. Security Team
Our Fearless Defenders
● Drupal 7 & 8 Core + Contrib
● Wednesdays are releases
● Process & Procedure
● Drupal 6 coverage available
22https://flic.kr/p/5d4nKx

23. Secure Coding
Best Practices
● Writing Secure Code (Drupal.org)
● Cracking Drupal - OWASP 10
and Drupal
● SQL Injection
● XSS
● CRSF
23https://flic.kr/p/3dvqhG

24. SQL Injection
24
As Illustrated by XKCD
db_query()
https://www.drupal.org/node/101496
http://xkcd.com/327/

25. Secure Coding
Best Practices
● JavaScript to run browser actions
● Up to 64% of websites vulnerable
● Everything you can do, XSS can do
better
● Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(), check_markup()
● t() function
● https://www.drupal.org/node/2898
4
25https://flic.kr/p/5ALBHy

26. Secure Coding
Best Practices
● Actions on another site
● <a
href="http://bank.com/
xfer.do?acct=123&amt=10000
">View my Pictures!</a>
● Forms API , drupal_get_token(),
drupal_valid_token()
● https://www.drupal.org/node/1788
96
26https://flic.kr/p/bSkp8r

27. Organization Layer
Secure Processes
● Safe Network Usage
● Secure Code Management
● Secure Support
27https://flic.kr/p/5kaEda

28. Secure Networking
Build Good Habits
● HTTPS / SSL
LetsEncrypt.org
CloudFlare
Others
● SFTP (No FTP!)
● Wireless Caution
28https://flic.kr/p/6v1J1m

29. Secure Code Management
Take care of your code
● Use Version Control Software (VCS)
like Git
● Sanitize Data on transfer -
drushcommands.com/drush-8x/sql
/sql-sanitize
● Secure your Keys - https://lockr.io
29https://flic.kr/p/9BkXKV

30. Secure Support
Take care of your clients
● Catalog your sites
● Wednesdays - be ready
● Who is responsible?
● Who helps them?
● How do they escalate?
● Emergency Procedures
● Run the drill!
30https://flic.kr/p/rEwbwL

31. 31
● Use a secure (reliable, performant) Drupal host
● Configure Drupal carefully
● Use Security-enhancing Drupal modules
● Follow Drupal coding best practices
● Use secure communications (HTTPS, SFTP, …)
● Have secure code management habits
● Have clear support practices and procedures
In Summary

32. Questions?
Polly Wants a Cracker!
● @dgorton
● drew@pantheon.io
32https://flic.kr/p/pqiJNt