Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
Points of discussion will include:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
08448380779 Call Girls In Friends Colony Women Seeking Men
Understanding and Implementing Website Security
1. W E B S I T E S E C U R I T Y
U N D E R S TA N D I N G A N D I M P L E M E N T I N G
https://flic.kr/p/8rvdmp
2. D R E W
G O R T O N
• Director of Agency and
Community Outreach,
Pantheon
• Founder, Gorton Studios (2001)
• Co-founder, NodeSquirrel
(2012)
• Drupal 4.4 (~2004)
• Drupal Twin Cities
• @dgorton
3. I S A D A N G E R O U S T H I N G
W E B C O N T E N T M A N A G E M E N T
4. C O M M O N P L A C E
D A TA B R E A C H E S A R E
6. I S N O T B I N A RY
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84
7. L E S S O N F R O M
T H E R E A L W O R L D
Safe Ratings
• Time (5 minutes, 30
minutes, …)
• Tools (hammer, drill, power
saw, …)
• People (skill, number, …)
https://flic.kr/p/3yigw
8. I S A C O N T I N U U M
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84
10. W I L L A LWAY S H AV E G A P S
W E B S I T E S E C U R I T Y
https://flic.kr/p/5d4nKx
11. T O D AY ’ S G O A L S
• Understand Landscape
• Have Fewer, Smaller Gaps
• Better Preparedness
• Examining Website Security in Layers
12. L AY E R S
• Platform: Linux,
Apache, MySQL,
PHP …
• Application:
Drupal,
WordPress…
• Organizational:
Habits, procedures,
planning…
https://flic.kr/p/dp3nGo
13. P L AT F O R M
L AY E R
• Linux
• Apache
• MySQL
• PHP
• Varnish
• Redis
• …
https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?
14. Y O U D O N O T WA N T T H I S M O N K E Y *
P L A T F O R M S E C U R I T Y:
https://flic.kr/p/p8z6wN
15. D R U PA L H O S T I N G
P L A T F O R M S E C U R I T Y: U S E
H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G
16. N O T A L L H O S T I N G I S E Q U A L
P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E
17. I N T H E R E A L W O R L D
P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R
18. A B E T T E R WAY
P L A T F O R M S E C U R I T Y: T H E R E I S
19. C H O O S E H O S T S W I S E LY
How did you handle Heartbleed?
How did you handle DrupalGeddon?
20. D R U PA L
A P P L I C A T I O N L A Y E R
https://flic.kr/p/9Vx4ra
21. D R U PA L I S
F L E X I B L E
• (Mis) Configuration
• You can configure Drupal so
that Anonymous Users can ____
• Upload images
• Change files
• Edit the homepage
• Turn on modules
• Change themes
https://flic.kr/p/nze5Em
22. S E C U R E
C O N F I G U R AT I O N
• Secure User 1
• No simple passwords
• Don’t share passwords across sites
• Doesn’t have to be ‘admin’
• Permissions & Roles
• Administer * is powerful
• Administer filters can pwn site
• No PHP (!!!)
• Update module
• Wednesdays are security releases
• Turn it on. Get the notifications. Do them
https://flic.kr/p/5pGcyx
23. D R U PA L
M O D U L E S
• Paranoia
• Security Review
• Permissions Lock
• Secure Login
• Hacked!
• Password policy / Password
strength
• Two Factor Authentication
24. S E C U R I T Y
T E A M
• Drupal 7 & 8 Core +
Contrib
• Wednesdays are
releases
• Process & Procedure
• Drupal 6 coverage
available
https://flic.kr/p/qFLhg
25. S E C U R E
C O D I N G
• https://www.drupal.org/
writing-secure-code
• Doing Drupal Security
Right - OWASP 10 and
Drupal
• Injection
• XSS
• CRSF
https://flic.kr/p/3dvqhG
26. S Q L I N J E C T I O N
S E C U R E C O D I N G
http://xkcd.com/327/
db_query()
https://www.drupal.org/node/101496
27. C R O S S S I T E
S C R I P T I N G ( X S S )
• JavaScript to run browser actions
in this website
• Up to 64% of websites vulnerable
• Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(),
check_markup()
• t() function
• https://www.drupal.org/node/
28984
https://flic.kr/p/5ALBHy
28. C R O S S - S I T E
R E Q U E S T F O R G E RY
( C S R F O R X S R F )
• Actions on another site
• <a href="http://bank.com/
transfer.do?
acct=MARIA&amount=10000
">View my Pictures!</a>
• Forms API ,
drupal_get_token(),
drupal_valid_token()
• https://www.drupal.org/
node/178896
https://flic.kr/p/bSkp8r
29. P R O C E S S E S
O R G A N I Z A T I O N L A Y E R
https://flic.kr/p/5kaEda
30. S E C U R E
N E T W O R K I N G
• HTTPS / SSL
• LetsEncrypt.org
• CloudFlare
• Others
• SFTP (No FTP!)
• Wireless Caution
https://flic.kr/p/6v1J1m
31. S E C U R E C O D E
M A N A G E M E N T
• Use Version Control
Software (VCS) like Git
• Sanitize Data on transfer -
drushcommands.com/
drush-8x/sql/sql-sanitize
• Secure your Keys - https://
lockr.io
https://flic.kr/p/9BkXKV
32. S E C U R E
S U P P O R T
• Catalog your sites
• Wednesdays - be ready
• Who is responsible?
• Who helps them?
• How do they escalate?
• Emergency Procedures
• Run the drill!
https://flic.kr/p/rEwbwL
33. I N S U M M A RY
• Use a secure (reliable, performant) Drupal host.
• Configure Drupal carefully
• Use Security-enhancing Drupal modules
• Follow Drupal coding best practices
• Use secure communications (HTTPS, SFTP, …)
• Have secure code management habits
• Have clear support practices and procedures
34. Q U E S T I O N S ?
W E B S I T E S E C U R I T Y
https://flic.kr/p/pqiJNt