Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks. Points of discussion will include: Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures) Familiarity with your hosting platform’s security-related practices.  Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.) Understanding how security concerns are handled for core and contrib. Clarifying support responsibilities and procedures so that security fixes are applied quickly.

1. W E B S I T E S E C U R I T Y
U N D E R S TA N D I N G A N D I M P L E M E N T I N G
https://flic.kr/p/8rvdmp

2. D R E W
G O R T O N
• Director of Agency and
Community Outreach,
Pantheon
• Founder, Gorton Studios (2001)
• Co-founder, NodeSquirrel
(2012)
• Drupal 4.4 (~2004)
• Drupal Twin Cities
• @dgorton

3. I S A D A N G E R O U S T H I N G
W E B C O N T E N T M A N A G E M E N T

4. C O M M O N P L A C E
D A TA B R E A C H E S A R E

5. S U R E LY N O T M E ? !
I ’ M S O T I N Y !

6. I S N O T B I N A RY
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84

7. L E S S O N F R O M
T H E R E A L W O R L D
Safe Ratings
• Time (5 minutes, 30
minutes, …)
• Tools (hammer, drill, power
saw, …)
• People (skill, number, …)
https://flic.kr/p/3yigw

8. I S A C O N T I N U U M
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84

9. Perfect Security is a Myth
https://flic.kr/p/4p9Vi

10. W I L L A LWAY S H AV E G A P S
W E B S I T E S E C U R I T Y
https://flic.kr/p/5d4nKx

11. T O D AY ’ S G O A L S
• Understand Landscape
• Have Fewer, Smaller Gaps
• Better Preparedness
• Examining Website Security in Layers

12. L AY E R S
• Platform: Linux,
Apache, MySQL,
PHP …
• Application:
Drupal,
WordPress…
• Organizational:
Habits, procedures,
planning…
https://flic.kr/p/dp3nGo

13. P L AT F O R M
L AY E R
• Linux
• Apache
• MySQL
• PHP
• Varnish
• Redis
• …
https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?

14. Y O U D O N O T WA N T T H I S M O N K E Y *
P L A T F O R M S E C U R I T Y:
https://flic.kr/p/p8z6wN

15. D R U PA L H O S T I N G
P L A T F O R M S E C U R I T Y: U S E
H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G

16. N O T A L L H O S T I N G I S E Q U A L
P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E

17. I N T H E R E A L W O R L D
P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R

18. A B E T T E R WAY
P L A T F O R M S E C U R I T Y: T H E R E I S

19. C H O O S E H O S T S W I S E LY
How did you handle Heartbleed?
How did you handle DrupalGeddon?

20. D R U PA L
A P P L I C A T I O N L A Y E R
https://flic.kr/p/9Vx4ra

21. D R U PA L I S
F L E X I B L E
• (Mis) Configuration
• You can configure Drupal so
that Anonymous Users can ____
• Upload images
• Change files
• Edit the homepage
• Turn on modules
• Change themes
https://flic.kr/p/nze5Em

22. S E C U R E
C O N F I G U R AT I O N
• Secure User 1
• No simple passwords
• Don’t share passwords across sites
• Doesn’t have to be ‘admin’
• Permissions & Roles
• Administer * is powerful
• Administer filters can pwn site
• No PHP (!!!)
• Update module
• Wednesdays are security releases
• Turn it on. Get the notifications. Do them
https://flic.kr/p/5pGcyx

23. D R U PA L
M O D U L E S
• Paranoia
• Security Review
• Permissions Lock
• Secure Login
• Hacked!
• Password policy / Password
strength
• Two Factor Authentication

24. S E C U R I T Y
T E A M
• Drupal 7 & 8 Core +
Contrib
• Wednesdays are
releases
• Process & Procedure
• Drupal 6 coverage
available
https://flic.kr/p/qFLhg

25. S E C U R E
C O D I N G
• https://www.drupal.org/
writing-secure-code
• Doing Drupal Security
Right - OWASP 10 and
Drupal
• Injection
• XSS
• CRSF
https://flic.kr/p/3dvqhG

26. S Q L I N J E C T I O N
S E C U R E C O D I N G
http://xkcd.com/327/
db_query()
https://www.drupal.org/node/101496

27. C R O S S S I T E
S C R I P T I N G ( X S S )
• JavaScript to run browser actions
in this website
• Up to 64% of websites vulnerable
• Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(),
check_markup()
• t() function
• https://www.drupal.org/node/
28984
https://flic.kr/p/5ALBHy

28. C R O S S - S I T E
R E Q U E S T F O R G E RY
( C S R F O R X S R F )
• Actions on another site
• <a href="http://bank.com/
transfer.do?
acct=MARIA&amount=10000
">View my Pictures!</a>
• Forms API ,
drupal_get_token(),
drupal_valid_token()
• https://www.drupal.org/
node/178896
https://flic.kr/p/bSkp8r

29. P R O C E S S E S
O R G A N I Z A T I O N L A Y E R
https://flic.kr/p/5kaEda

30. S E C U R E
N E T W O R K I N G
• HTTPS / SSL
• LetsEncrypt.org
• CloudFlare
• Others
• SFTP (No FTP!)
• Wireless Caution
https://flic.kr/p/6v1J1m

31. S E C U R E C O D E
M A N A G E M E N T
• Use Version Control
Software (VCS) like Git
• Sanitize Data on transfer -
drushcommands.com/
drush-8x/sql/sql-sanitize
• Secure your Keys - https://
lockr.io
https://flic.kr/p/9BkXKV

32. S E C U R E
S U P P O R T
• Catalog your sites
• Wednesdays - be ready
• Who is responsible?
• Who helps them?
• How do they escalate?
• Emergency Procedures
• Run the drill!
https://flic.kr/p/rEwbwL

33. I N S U M M A RY
• Use a secure (reliable, performant) Drupal host.
• Configure Drupal carefully
• Use Security-enhancing Drupal modules
• Follow Drupal coding best practices
• Use secure communications (HTTPS, SFTP, …)
• Have secure code management habits
• Have clear support practices and procedures

34. Q U E S T I O N S ?
W E B S I T E S E C U R I T Y
https://flic.kr/p/pqiJNt

35. H T T P S : / / J O I N D . I N / 1 7 2 7 5