SlideShare a Scribd company logo
1 of 35
Download to read offline
W E B S I T E S E C U R I T Y
U N D E R S TA N D I N G A N D I M P L E M E N T I N G
https://flic.kr/p/8rvdmp
D R E W
G O R T O N
• Director of Agency and
Community Outreach,
Pantheon
• Founder, Gorton Studios (2001)
• Co-founder, NodeSquirrel
(2012)
• Drupal 4.4 (~2004)
• Drupal Twin Cities
• @dgorton
I S A D A N G E R O U S T H I N G
W E B C O N T E N T M A N A G E M E N T
C O M M O N P L A C E
D A TA B R E A C H E S A R E
S U R E LY N O T M E ? !
I ’ M S O T I N Y !
I S N O T B I N A RY
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84
L E S S O N F R O M
T H E R E A L W O R L D
Safe Ratings
• Time (5 minutes, 30
minutes, …)
• Tools (hammer, drill, power
saw, …)
• People (skill, number, …)
https://flic.kr/p/3yigw
I S A C O N T I N U U M
W E B S I T E S E C U R I T Y
https://flic.kr/p/h4TA84
Perfect Security is a Myth
https://flic.kr/p/4p9Vi
W I L L A LWAY S H AV E G A P S
W E B S I T E S E C U R I T Y
https://flic.kr/p/5d4nKx
T O D AY ’ S G O A L S
• Understand Landscape
• Have Fewer, Smaller Gaps
• Better Preparedness
• Examining Website Security in Layers
L AY E R S
• Platform: Linux,
Apache, MySQL,
PHP …
• Application:
Drupal,
WordPress…
• Organizational:
Habits, procedures,
planning…
https://flic.kr/p/dp3nGo
P L AT F O R M
L AY E R
• Linux
• Apache
• MySQL
• PHP
• Varnish
• Redis
• …
https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?
Y O U D O N O T WA N T T H I S M O N K E Y *
P L A T F O R M S E C U R I T Y:
https://flic.kr/p/p8z6wN
D R U PA L H O S T I N G
P L A T F O R M S E C U R I T Y: U S E
H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G
N O T A L L H O S T I N G I S E Q U A L
P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E
I N T H E R E A L W O R L D
P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R
A B E T T E R WAY
P L A T F O R M S E C U R I T Y: T H E R E I S
C H O O S E H O S T S W I S E LY
How did you handle Heartbleed?
How did you handle DrupalGeddon?
D R U PA L
A P P L I C A T I O N L A Y E R
https://flic.kr/p/9Vx4ra
D R U PA L I S
F L E X I B L E
• (Mis) Configuration
• You can configure Drupal so
that Anonymous Users can ____
• Upload images
• Change files
• Edit the homepage
• Turn on modules
• Change themes
https://flic.kr/p/nze5Em
S E C U R E
C O N F I G U R AT I O N
• Secure User 1
• No simple passwords
• Don’t share passwords across sites
• Doesn’t have to be ‘admin’
• Permissions & Roles
• Administer * is powerful
• Administer filters can pwn site
• No PHP (!!!)
• Update module
• Wednesdays are security releases
• Turn it on. Get the notifications. Do them
https://flic.kr/p/5pGcyx
D R U PA L
M O D U L E S
• Paranoia
• Security Review
• Permissions Lock
• Secure Login
• Hacked!
• Password policy / Password
strength
• Two Factor Authentication
S E C U R I T Y
T E A M
• Drupal 7 & 8 Core +
Contrib
• Wednesdays are
releases
• Process & Procedure
• Drupal 6 coverage
available
https://flic.kr/p/qFLhg
S E C U R E
C O D I N G
• https://www.drupal.org/
writing-secure-code
• Doing Drupal Security
Right - OWASP 10 and
Drupal
• Injection
• XSS
• CRSF
https://flic.kr/p/3dvqhG
S Q L I N J E C T I O N
S E C U R E C O D I N G
http://xkcd.com/327/
db_query()
https://www.drupal.org/node/101496

C R O S S S I T E
S C R I P T I N G ( X S S )
• JavaScript to run browser actions
in this website
• Up to 64% of websites vulnerable
• Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(),
check_markup()
• t() function
• https://www.drupal.org/node/
28984
https://flic.kr/p/5ALBHy
C R O S S - S I T E
R E Q U E S T F O R G E RY
( C S R F O R X S R F )
• Actions on another site
• <a href="http://bank.com/
transfer.do?
acct=MARIA&amount=10000
">View my Pictures!</a>
• Forms API ,
drupal_get_token(),
drupal_valid_token()
• https://www.drupal.org/
node/178896
https://flic.kr/p/bSkp8r
P R O C E S S E S
O R G A N I Z A T I O N L A Y E R
https://flic.kr/p/5kaEda
S E C U R E
N E T W O R K I N G
• HTTPS / SSL
• LetsEncrypt.org
• CloudFlare
• Others
• SFTP (No FTP!)
• Wireless Caution
https://flic.kr/p/6v1J1m
S E C U R E C O D E
M A N A G E M E N T
• Use Version Control
Software (VCS) like Git
• Sanitize Data on transfer -
drushcommands.com/
drush-8x/sql/sql-sanitize
• Secure your Keys - https://
lockr.io
https://flic.kr/p/9BkXKV
S E C U R E
S U P P O R T
• Catalog your sites
• Wednesdays - be ready
• Who is responsible?
• Who helps them?
• How do they escalate?
• Emergency Procedures
• Run the drill!
https://flic.kr/p/rEwbwL
I N S U M M A RY
• Use a secure (reliable, performant) Drupal host.
• Configure Drupal carefully
• Use Security-enhancing Drupal modules
• Follow Drupal coding best practices
• Use secure communications (HTTPS, SFTP, …)
• Have secure code management habits
• Have clear support practices and procedures
Q U E S T I O N S ?
W E B S I T E S E C U R I T Y
https://flic.kr/p/pqiJNt
H T T P S : / / J O I N D . I N / 1 7 2 7 5

More Related Content

Similar to Understanding and Implementing Website Security

Serverless WordPress & next Interface of WordPress
Serverless WordPress & next Interface of WordPressServerless WordPress & next Interface of WordPress
Serverless WordPress & next Interface of WordPressHidetaka Okamoto
 
Web User Experience in 2021
Web User Experience in 2021Web User Experience in 2021
Web User Experience in 2021Drew Gorton
 
From Content Strategy to Drupal Site Building - Connecting the dots
From Content Strategy to Drupal Site Building - Connecting the dotsFrom Content Strategy to Drupal Site Building - Connecting the dots
From Content Strategy to Drupal Site Building - Connecting the dotsRonald Ashri
 
From Content Strategy to Drupal Site Building - Connecting the Dots
From Content Strategy to Drupal Site Building - Connecting the DotsFrom Content Strategy to Drupal Site Building - Connecting the Dots
From Content Strategy to Drupal Site Building - Connecting the DotsRonald Ashri
 
Uncover Python's Potential in Machine Learning
Uncover Python's Potential in Machine LearningUncover Python's Potential in Machine Learning
Uncover Python's Potential in Machine LearningKan Ouivirach, Ph.D.
 
Architecting your IT career
Architecting your IT careerArchitecting your IT career
Architecting your IT careerJohn Mark Troyer
 
Offline-first: Making your app resilient to network failures
Offline-first: Making your app resilient to network failuresOffline-first: Making your app resilient to network failures
Offline-first: Making your app resilient to network failuresPedro Teixeira
 
SharePoint Saturday Redmond - Building solutions with the future in mind
SharePoint Saturday Redmond - Building solutions with the future in mindSharePoint Saturday Redmond - Building solutions with the future in mind
SharePoint Saturday Redmond - Building solutions with the future in mindChris Johnson
 
So You Want to be an OpenStack Contributor
So You Want to be an OpenStack ContributorSo You Want to be an OpenStack Contributor
So You Want to be an OpenStack ContributorAnne Gentle
 
Zend con 2016 - Asynchronous Prorgamming in PHP
Zend con 2016 - Asynchronous Prorgamming in PHPZend con 2016 - Asynchronous Prorgamming in PHP
Zend con 2016 - Asynchronous Prorgamming in PHPAdam Englander
 
How Expedia’s Entity Graph Powers Global Travel
How Expedia’s Entity Graph Powers Global TravelHow Expedia’s Entity Graph Powers Global Travel
How Expedia’s Entity Graph Powers Global TravelNeo4j
 
Data Scientist's Daily Life
Data Scientist's Daily LifeData Scientist's Daily Life
Data Scientist's Daily LifeBryan Yang
 
Development and Deployment: The Human Factor
Development and Deployment: The Human FactorDevelopment and Deployment: The Human Factor
Development and Deployment: The Human FactorBoris Adryan
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress DevelopersDavid Brumbaugh
 
Transforming developer from Commodity to Premium - A tale of micorservices
Transforming developer from Commodity to Premium - A tale of micorservicesTransforming developer from Commodity to Premium - A tale of micorservices
Transforming developer from Commodity to Premium - A tale of micorservicesKishore Yekkanti
 
Cloudy with a chance of scale
Cloudy with a chance of scaleCloudy with a chance of scale
Cloudy with a chance of scaleMitch Pirtle
 
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHPphp[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHPAdam Englander
 
Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at ScaleDavid Simons
 

Similar to Understanding and Implementing Website Security (20)

Serverless WordPress & next Interface of WordPress
Serverless WordPress & next Interface of WordPressServerless WordPress & next Interface of WordPress
Serverless WordPress & next Interface of WordPress
 
Web User Experience in 2021
Web User Experience in 2021Web User Experience in 2021
Web User Experience in 2021
 
From Content Strategy to Drupal Site Building - Connecting the dots
From Content Strategy to Drupal Site Building - Connecting the dotsFrom Content Strategy to Drupal Site Building - Connecting the dots
From Content Strategy to Drupal Site Building - Connecting the dots
 
From Content Strategy to Drupal Site Building - Connecting the Dots
From Content Strategy to Drupal Site Building - Connecting the DotsFrom Content Strategy to Drupal Site Building - Connecting the Dots
From Content Strategy to Drupal Site Building - Connecting the Dots
 
Uncover Python's Potential in Machine Learning
Uncover Python's Potential in Machine LearningUncover Python's Potential in Machine Learning
Uncover Python's Potential in Machine Learning
 
Architecting your IT career
Architecting your IT careerArchitecting your IT career
Architecting your IT career
 
Offline-first: Making your app resilient to network failures
Offline-first: Making your app resilient to network failuresOffline-first: Making your app resilient to network failures
Offline-first: Making your app resilient to network failures
 
SharePoint Saturday Redmond - Building solutions with the future in mind
SharePoint Saturday Redmond - Building solutions with the future in mindSharePoint Saturday Redmond - Building solutions with the future in mind
SharePoint Saturday Redmond - Building solutions with the future in mind
 
So You Want to be an OpenStack Contributor
So You Want to be an OpenStack ContributorSo You Want to be an OpenStack Contributor
So You Want to be an OpenStack Contributor
 
Zend con 2016 - Asynchronous Prorgamming in PHP
Zend con 2016 - Asynchronous Prorgamming in PHPZend con 2016 - Asynchronous Prorgamming in PHP
Zend con 2016 - Asynchronous Prorgamming in PHP
 
How Expedia’s Entity Graph Powers Global Travel
How Expedia’s Entity Graph Powers Global TravelHow Expedia’s Entity Graph Powers Global Travel
How Expedia’s Entity Graph Powers Global Travel
 
Data Scientist's Daily Life
Data Scientist's Daily LifeData Scientist's Daily Life
Data Scientist's Daily Life
 
Development and Deployment: The Human Factor
Development and Deployment: The Human FactorDevelopment and Deployment: The Human Factor
Development and Deployment: The Human Factor
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Transforming developer from Commodity to Premium - A tale of micorservices
Transforming developer from Commodity to Premium - A tale of micorservicesTransforming developer from Commodity to Premium - A tale of micorservices
Transforming developer from Commodity to Premium - A tale of micorservices
 
Meteor WWNRW Intro
Meteor WWNRW IntroMeteor WWNRW Intro
Meteor WWNRW Intro
 
Java 20
Java 20Java 20
Java 20
 
Cloudy with a chance of scale
Cloudy with a chance of scaleCloudy with a chance of scale
Cloudy with a chance of scale
 
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHPphp[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
php[world] 2016 - You Don’t Need Node.js - Async Programming in PHP
 
Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at Scale
 

More from Drew Gorton

Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020Drew Gorton
 
Drupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon SeattleDrupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon SeattleDrew Gorton
 
Marketing for Drupalers - Drupal Europe
Marketing for Drupalers  - Drupal EuropeMarketing for Drupalers  - Drupal Europe
Marketing for Drupalers - Drupal EuropeDrew Gorton
 
Growing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp MinneapolisGrowing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp MinneapolisDrew Gorton
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website securityDrew Gorton
 
Word Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp MinneapolisWord Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp MinneapolisDrew Gorton
 
Simplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanySimplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanyDrew Gorton
 
Web User Experience in 2020
Web User Experience in 2020Web User Experience in 2020
Web User Experience in 2020Drew Gorton
 
Welcome to Drupal
Welcome to DrupalWelcome to Drupal
Welcome to DrupalDrew Gorton
 
10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal EntrepreneurDrew Gorton
 
Responsive HTML Email with Drupal
Responsive HTML Email with DrupalResponsive HTML Email with Drupal
Responsive HTML Email with DrupalDrew Gorton
 
Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015Drew Gorton
 
Welcome to the Drupal
Welcome to the DrupalWelcome to the Drupal
Welcome to the DrupalDrew Gorton
 

More from Drew Gorton (13)

Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020
 
Drupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon SeattleDrupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon Seattle
 
Marketing for Drupalers - Drupal Europe
Marketing for Drupalers  - Drupal EuropeMarketing for Drupalers  - Drupal Europe
Marketing for Drupalers - Drupal Europe
 
Growing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp MinneapolisGrowing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp Minneapolis
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Word Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp MinneapolisWord Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp Minneapolis
 
Simplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your CompanySimplifying Security: Protecting Your Clients and Your Company
Simplifying Security: Protecting Your Clients and Your Company
 
Web User Experience in 2020
Web User Experience in 2020Web User Experience in 2020
Web User Experience in 2020
 
Welcome to Drupal
Welcome to DrupalWelcome to Drupal
Welcome to Drupal
 
10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur
 
Responsive HTML Email with Drupal
Responsive HTML Email with DrupalResponsive HTML Email with Drupal
Responsive HTML Email with Drupal
 
Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015
 
Welcome to the Drupal
Welcome to the DrupalWelcome to the Drupal
Welcome to the Drupal
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

Understanding and Implementing Website Security

  • 1. W E B S I T E S E C U R I T Y U N D E R S TA N D I N G A N D I M P L E M E N T I N G https://flic.kr/p/8rvdmp
  • 2. D R E W G O R T O N • Director of Agency and Community Outreach, Pantheon • Founder, Gorton Studios (2001) • Co-founder, NodeSquirrel (2012) • Drupal 4.4 (~2004) • Drupal Twin Cities • @dgorton
  • 3. I S A D A N G E R O U S T H I N G W E B C O N T E N T M A N A G E M E N T
  • 4. C O M M O N P L A C E D A TA B R E A C H E S A R E
  • 5. S U R E LY N O T M E ? ! I ’ M S O T I N Y !
  • 6. I S N O T B I N A RY W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
  • 7. L E S S O N F R O M T H E R E A L W O R L D Safe Ratings • Time (5 minutes, 30 minutes, …) • Tools (hammer, drill, power saw, …) • People (skill, number, …) https://flic.kr/p/3yigw
  • 8. I S A C O N T I N U U M W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
  • 9. Perfect Security is a Myth https://flic.kr/p/4p9Vi
  • 10. W I L L A LWAY S H AV E G A P S W E B S I T E S E C U R I T Y https://flic.kr/p/5d4nKx
  • 11. T O D AY ’ S G O A L S • Understand Landscape • Have Fewer, Smaller Gaps • Better Preparedness • Examining Website Security in Layers
  • 12. L AY E R S • Platform: Linux, Apache, MySQL, PHP … • Application: Drupal, WordPress… • Organizational: Habits, procedures, planning… https://flic.kr/p/dp3nGo
  • 13. P L AT F O R M L AY E R • Linux • Apache • MySQL • PHP • Varnish • Redis • … https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?
  • 14. Y O U D O N O T WA N T T H I S M O N K E Y * P L A T F O R M S E C U R I T Y: https://flic.kr/p/p8z6wN
  • 15. D R U PA L H O S T I N G P L A T F O R M S E C U R I T Y: U S E H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G
  • 16. N O T A L L H O S T I N G I S E Q U A L P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E
  • 17. I N T H E R E A L W O R L D P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R
  • 18. A B E T T E R WAY P L A T F O R M S E C U R I T Y: T H E R E I S
  • 19. C H O O S E H O S T S W I S E LY How did you handle Heartbleed? How did you handle DrupalGeddon?
  • 20. D R U PA L A P P L I C A T I O N L A Y E R https://flic.kr/p/9Vx4ra
  • 21. D R U PA L I S F L E X I B L E • (Mis) Configuration • You can configure Drupal so that Anonymous Users can ____ • Upload images • Change files • Edit the homepage • Turn on modules • Change themes https://flic.kr/p/nze5Em
  • 22. S E C U R E C O N F I G U R AT I O N • Secure User 1 • No simple passwords • Don’t share passwords across sites • Doesn’t have to be ‘admin’ • Permissions & Roles • Administer * is powerful • Administer filters can pwn site • No PHP (!!!) • Update module • Wednesdays are security releases • Turn it on. Get the notifications. Do them https://flic.kr/p/5pGcyx
  • 23. D R U PA L M O D U L E S • Paranoia • Security Review • Permissions Lock • Secure Login • Hacked! • Password policy / Password strength • Two Factor Authentication
  • 24. S E C U R I T Y T E A M • Drupal 7 & 8 Core + Contrib • Wednesdays are releases • Process & Procedure • Drupal 6 coverage available https://flic.kr/p/qFLhg
  • 25. S E C U R E C O D I N G • https://www.drupal.org/ writing-secure-code • Doing Drupal Security Right - OWASP 10 and Drupal • Injection • XSS • CRSF https://flic.kr/p/3dvqhG
  • 26. S Q L I N J E C T I O N S E C U R E C O D I N G http://xkcd.com/327/ db_query() https://www.drupal.org/node/101496

  • 27. C R O S S S I T E S C R I P T I N G ( X S S ) • JavaScript to run browser actions in this website • Up to 64% of websites vulnerable • Use Filters! check_url(), check_plain(), filter_xss(), filter_xss_admin(), check_markup() • t() function • https://www.drupal.org/node/ 28984 https://flic.kr/p/5ALBHy
  • 28. C R O S S - S I T E R E Q U E S T F O R G E RY ( C S R F O R X S R F ) • Actions on another site • <a href="http://bank.com/ transfer.do? acct=MARIA&amount=10000 ">View my Pictures!</a> • Forms API , drupal_get_token(), drupal_valid_token() • https://www.drupal.org/ node/178896 https://flic.kr/p/bSkp8r
  • 29. P R O C E S S E S O R G A N I Z A T I O N L A Y E R https://flic.kr/p/5kaEda
  • 30. S E C U R E N E T W O R K I N G • HTTPS / SSL • LetsEncrypt.org • CloudFlare • Others • SFTP (No FTP!) • Wireless Caution https://flic.kr/p/6v1J1m
  • 31. S E C U R E C O D E M A N A G E M E N T • Use Version Control Software (VCS) like Git • Sanitize Data on transfer - drushcommands.com/ drush-8x/sql/sql-sanitize • Secure your Keys - https:// lockr.io https://flic.kr/p/9BkXKV
  • 32. S E C U R E S U P P O R T • Catalog your sites • Wednesdays - be ready • Who is responsible? • Who helps them? • How do they escalate? • Emergency Procedures • Run the drill! https://flic.kr/p/rEwbwL
  • 33. I N S U M M A RY • Use a secure (reliable, performant) Drupal host. • Configure Drupal carefully • Use Security-enhancing Drupal modules • Follow Drupal coding best practices • Use secure communications (HTTPS, SFTP, …) • Have secure code management habits • Have clear support practices and procedures
  • 34. Q U E S T I O N S ? W E B S I T E S E C U R I T Y https://flic.kr/p/pqiJNt
  • 35. H T T P S : / / J O I N D . I N / 1 7 2 7 5