Training: Best Practices for Drupal Security
-
Upload
acquia -
Category
Technology
-
view
2.751 -
download
2
Transcript of Training: Best Practices for Drupal Security
![Page 1: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/1.jpg)
Training: Best Practices for Drupal Security
Cash WilliamsTechnical ConsultantAcquia
Ben JeavonsSr. Software EngineerAcquia
David StolineTechnical ConsultantAcquia
![Page 2: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/2.jpg)
Drupal Security
Vulnerabilities and risks on the web
Understanding user input and evaluating trust
Tips and further best practices for security
![Page 3: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/3.jpg)
Principle ideas
Don’t trust user input
Stay up-to-date
Defense in depth
![Page 4: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/4.jpg)
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
![Page 5: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/5.jpg)
“traffic at Target tanked after news that hackers stole data from 40 million credit and debit cards used at Target“
http://qz.com/181703/shoppers-decided-to-avoid-target-after-its-giant-data-breach
https://www.flickr.com/photos/roadsidepictures/2923629922
![Page 6: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/6.jpg)
Massive vulnerability Affecting ~66% of the internetAllowed arbitrary memory leaks exposingusernames, passwords, certificate private keys, etc
Heartbleed
![Page 7: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/7.jpg)
Hands-on training
DrupalCon Austin, Monday June 2nd
austin2014.drupal.org/node/1118
Register before May 2nd to save $75
![Page 8: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/8.jpg)
Drupal vulnerabilities and risks
![Page 9: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/9.jpg)
reported in core and contrib SAs from June 1 2005 through October 1 2013, drupalsecurityreport.com
Vulnerabilities by popularity
![Page 10: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/10.jpg)
reported in SAs June 1 2005 through October 1 2013, drupalsecurityreport.com
Vulnerabilities by type
![Page 11: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/11.jpg)
Drupal in the wild
Most vulnerabilities exist
In custom code (modules or themes)
Insecure configuration or practices
Out-of-date code
![Page 12: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/12.jpg)
66% likeliness a website
is vulnerable to Cross-Site Scripting
http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
![Page 13: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/13.jpg)
User input is the root of all evil
![Page 14: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/14.jpg)
User input
What pages have forms?
Nodes and comments
Webforms
Other properties of HTTP requests
![Page 15: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/15.jpg)
Rawuserinput
Output
![Page 16: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/16.jpg)
Trust
![Page 17: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/17.jpg)
Trust
Know your site’s Drupal roles and permissions
Evaluate permissions of new modules
Maintain strong passwords
![Page 18: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/18.jpg)
Trust
Principle of least privilege
Give only the necessary permissions to complete the required work
![Page 19: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/19.jpg)
Admin permissions
Administer permissions
Administer users
Administer filters
Administer content types
Administer site configuration
contrib module admin permissions?
![Page 20: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/20.jpg)
Strong passwords
Ensure administrators have strong passwords
drupal.org/project/password_policy
![Page 21: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/21.jpg)
Best practices
![Page 22: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/22.jpg)
Stay up to date
Follow release schedules
Update Manager
@drupalcore & @drupalsecurity
Apply appropriate updates
![Page 23: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/23.jpg)
Update process
Stage and dev environments for testing changes
![Page 24: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/24.jpg)
Update process
Stage and dev environments for testing changes
drush pm-updatecode
VCS (git) for quick deploys
![Page 25: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/25.jpg)
Backups
If it isn’t tested then it doesn’t work
![Page 26: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/26.jpg)
Backups
How complicated is your restore process?Is every step documented?Can a restore be done by someone filling in for a position?Are there any technical barriers to performing a restore?Are the backups and procedure regularly tested?How long will the restore take?
![Page 27: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/27.jpg)
Logs
Enable logging and save log dataFix application errors and warnings to remove noiseAggregate log data to better analyze
![Page 28: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/28.jpg)
10
PM
DO YOUKNOW WHERE
YOUR DATAARE?
![Page 29: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/29.jpg)
Sensitive Data
Where is sensitive data and is it protected?Ensure a project repo does not have sensitive dataIncluding the repo historyNon-Production databases should be sanitizedUse encryption
![Page 30: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/30.jpg)
Principle ideasfrom today
![Page 31: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/31.jpg)
Principle ideas
Don’t trust user input
Stay up-to-date
Defense in depth
![Page 32: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/32.jpg)
More resources
drupalsecurityreport.com
drupal.org/developing/best-practices
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
![Page 33: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/33.jpg)
Hands-on Training
DrupalCon Austin, Monday June 2DrupalCon Austin, Monday June 2
austin2014.drupal.org/node/1118austin2014.drupal.org/node/1118
Register before May 2nd to save $75Register before May 2nd to save $75
![Page 34: Training: Best Practices for Drupal Security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ae352b4c905ba058b4e8c/html5/thumbnails/34.jpg)
Thank you
Cash Williams@cashwilliams
Ben Jeavons@benswords
David Stoline@unncola