Download - Drupal Security Seminar
![Page 1: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/1.jpg)
WE MATCH FRONT SEAT TECHNOLOGY AND CREATIVITY TO MEET YOUR DIGITAL PROJECTS.
![Page 2: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/2.jpg)
1 KEEP YOUR DRUPAL ENVIRONMENT SECURE
2 SECURE DEVELOPMENT & SECURE
CONFIGURATION
3 ACQUIA ON DRUPAL SECURITY
4 IBM TIVOLI ACCESS MANAGEMENT AND
DRUPAL
AGENDA
![Page 3: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/3.jpg)
DRUPAL
SECURITY
![Page 4: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/4.jpg)
WHY BOTHER? 1
![Page 5: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/5.jpg)
ZAPPOS
![Page 6: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/6.jpg)
![Page 7: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/7.jpg)
SONY PLAYSTATION NETWORK
![Page 8: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/8.jpg)
WHY BOTHER?
- Privacy laws
- Exposure of private information
- Compliance with legislation / internal rules
- Risk of reputational damage
- Risk of direct/indirect economical damage
![Page 9: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/9.jpg)
IS DRUPAL SECURE? 2
![Page 10: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/10.jpg)
MANY EYES MAKE FOR SECURE CODE
IS OPEN SOURCE SECURE?
- Security by obscurity
- Open code does not make it easier for hackers
- Open Source makes people look at it
- Popularity gets more eyes and more peer-reviews
- Not dependant on time-scale vendor
Bad open-source software as bad
as bad private software.
![Page 11: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/11.jpg)
TOP 10 VULNERABILITIES
OWASP
- Injection
- Cross Site Scripting - XSS
- Broken Authentication and Session Management
- Insecure Direct Object Reference
- Cross Site Request Forgery - CSRF
- Security Misconfguration
- Failure to Restrict URL Access
- Unvalidated Redirects and Forwards
- Insecure Cryptographic Storage
- Insuficient Transport Layer Protection
![Page 12: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/12.jpg)
REPORTED VULNERABILITIES
![Page 13: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/13.jpg)
IS DRUPAL SECURE?
Drupal Architecture - API is designed to be secure
- Contrib Modules > custom modules
- Best practices
Build
- Secure Development
- Secure Configuration
- Audit Contrib Modules
- Code audit custom code
- Security Review
DURING BUILD OF NEW DRUPAL WEBSITE
![Page 14: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/14.jpg)
DURING LIFECYCLE DRUPAL WEBSITE
IS DRUPAL SECURE?
Who’s checking Drupal - Project maintainers
- Thousand of users
- Security Researchers
- Government organisations
- Private organisations
Processes & Organisation - Security Team
- Process for solving issues & releasing security updates
- Security Advisories
- Private Disclosure practice
![Page 15: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/15.jpg)
KEEP YOUR
DRUPAL WEBSITE
SECURE 3
![Page 16: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/16.jpg)
SECURITY IS A PROCESS
NOT AN EVENT
![Page 17: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/17.jpg)
WHO’S CHECKING DRUPAL
- Project maintainers
- Thousand of users
- Security Researchers
- Government organisations
- Private organisations
MANY EYES MAKE FOR SECURE CODE
![Page 18: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/18.jpg)
UNIQUE FOR A OPEN SOURCE PROJECT
SECURITY TEAM
Task & Responsibilities - Solve reported issues
- Assist contributors in solving issues
- Advise and provide documentation on secure development
- Advise and provide documentation on securing your Drupal website
What’s supported - Core Drupal 6 & 7
- Contributed Modules Drupal 6 & 7
![Page 19: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/19.jpg)
FROM REPORTED ISSUE TO SECURITY UPDATE
A DRUPAL SECURITY RELEASE
![Page 20: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/20.jpg)
![Page 21: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/21.jpg)
![Page 22: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/22.jpg)
FOR CORE AND CONTRIBUTED MODULES PER YEAR
SECURITY ADVISORIES
Year Core Contributed
2010 1 31
2009 8 115
2008 11 64
2007 11 21
2006 1 21
2005 7 2
![Page 23: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/23.jpg)
YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE
PRIVATE DISCLOSURE
- Vulnerability introduced into code
- Issue reported
- Maintainer is notified
- Maintainer fixes issue
- Review & Discussions with security team
- Security Advisory written
- Release and anounce
- Deployed in Drupal website
FD PD
![Page 24: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/24.jpg)
KNOW WHEN AN UPDATE IS NEEDED
UPDATE MANAGER
- Check available updates
- Notifications
- Update through admin interface
![Page 25: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/25.jpg)
SECURITY HEALTH CHECK
SECURITY REVIEW MODULE
![Page 26: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/26.jpg)
INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE
STATUS MONITORING
Tools - Droptor.com (https://drupal.org/project/droptor)
- Acquia Insight (https://drupal.org/project/acquia_connector)
- Nagios (https://drupal.org/project/nagios)
- Drupalmonitor.com (https://drupal.org/project/drupalmonitor)
- …
![Page 27: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/27.jpg)
![Page 28: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/28.jpg)
![Page 29: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/29.jpg)
![Page 30: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/30.jpg)
BUILD A SECURE
DRUPAL WEBISTE 4
![Page 31: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/31.jpg)
CONTRIB
![Page 32: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/32.jpg)
CONTRIBUTED MODULES
Quality assurance - Usage - Number of open issues - Closed/Open ratio - Response time
Good quality usually means good security Manual code reviews for less used modules
![Page 33: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/33.jpg)
UPDATES
Always stay up to date - Keep up with latest security releases
Update Workflow - Hacked module + diff - Drush up
![Page 34: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/34.jpg)
PATCHES
Contrib patches Read the entire issue
Commit custom patches
Help out Feedback from other users (maintainers) Patch might get commited
Patch management
Move module to patched Create a patches.txt Keep patches
![Page 35: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/35.jpg)
CUSTOM
![Page 36: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/36.jpg)
SECURITY PYRAMID
Menu & Node Access
Form API
DB API
Theme
![Page 37: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/37.jpg)
CORRECT USE OF API
Form api validation cache form_state drupal_valid_token
DB api db_select, db_insert, placeholders $query->addTag('node_access')
Filter tcheck_url, check_plain, check_markup, filter_xss (), l(), drupal_set_title()
![Page 38: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/38.jpg)
CODE REVIEWS
Coder module
Manual reviews security_review module
![Page 39: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/39.jpg)
THEMES
![Page 40: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/40.jpg)
THEMES
Themer not responsible Preprocess functions
![Page 41: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/41.jpg)
CONFIGURATION
![Page 42: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/42.jpg)
PERMISSIONS
Permission management If Joe from advertising can give the full html filter format to anonymous user, don't bother to think about security
Split up permissions The default permissions don't cover every use case
![Page 43: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/43.jpg)
PERMISSIONS
![Page 44: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/44.jpg)
FILTER FORMATS
Never use full_html Use filtered_html instead.
Never use phpfilter Use a custom module for code
Versioning Bad performance (eval)
![Page 45: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/45.jpg)
HACKS AND HOW TO PREVENT THEM
![Page 46: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/46.jpg)
SQL INJECTION
"SELECT * FROM user WHERE name = '$name'" "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'"
http://xkcd.com/327/
![Page 47: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/47.jpg)
SQL INJECTION
Placeholders db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user);
Dynamic Queries $query = db_select('user', 'u')
->fields('u') ->where('name', $user) ->execute();
![Page 48: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/48.jpg)
XSS (cross site scripting)
http://vimeo.com/15447718
![Page 49: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/49.jpg)
XSS (cross site scripting)
Validate forms User input should never contain javascript
Form api Never use $_POST variables
$form_state['values'] Form caching
![Page 50: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/50.jpg)
XSS (cross site scripting)
User Input Title
Body Log message Url Post User-Agent Headers
![Page 51: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/51.jpg)
XSS (cross site scripting)
Input formats
Never use full_html
Filter Functions
check_url() check_plain() check_markup() filter_xss()
![Page 52: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/52.jpg)
XSS (cross site scripting)
http://drupalscout.com/knowledge-base/drupal-text-filtering-cheat-sheet-drupal-6
![Page 53: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/53.jpg)
XSS (cross site scripting)
Functions t() l() drupal_set_title()
@var => plain text %var => plain text !var => full html!
![Page 54: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/54.jpg)
CSRF (cross site request forgery)
Taking action without confirming intent
<a href=”/delete/user/1”>Delete user 1</a> Image Tag
<img src=”/delete/user/1”>
A hacker posts a comment to the administrator. When the administrator views the image, user 1 gets deleted
![Page 55: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/55.jpg)
CSRF (cross site request forgery)
Token (aka Nonce)
![Page 56: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/56.jpg)
ACCESS BYPASS
View content a user is not supposed to
$query = db_select('node', 'n')->fields('n'); Also shows nodes that user doesn't have acces to
$query->addTag('node_access') Rewrite the query based on the node_access table
![Page 57: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/57.jpg)
ACCESS BYPASS
Bad custom caching Administrator visits a block listing nodes. The block gets cached The cached block with all nodes is shown to the anonymous user Add role id to custom caching
![Page 58: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/58.jpg)
ACCESS BYPASS
Rabbit_hole module Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page.
Field access $form['#access'] = custom_access_callback();
Menu access $item['access callback'] = 'custom_access_callback',
![Page 59: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/59.jpg)
CHECKLIST
![Page 60: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/60.jpg)
CHECKLIST
Permissions λ Trusted users only λ Split default permissions
API λ Use Preprocess functions λ filter_xss, check_plain λ DB api λ Form api λ Tokens λ Menu/Node Access
Never Use λ Full html λ Php filter
![Page 61: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/61.jpg)
FURTHER READING
![Page 62: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/62.jpg)
FURTHER READING
Books Cracking Drupal Pro Drupal Development
Online λ https://drupal.org/writing-secure-code λ https://drupal.org/node/360052 λ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html λ http://drupalscout.com/knowledge-base
Video λ How to avoid All your base are belong to us (drupalcon Denver)
![Page 63: Drupal Security Seminar](https://reader033.vdocument.in/reader033/viewer/2022051514/548d9e97b47959962d8b45d5/html5/thumbnails/63.jpg)
SEND US A MESSAGE
You can contact us at [email protected]
Our address
Veldkant 33A 2550 Kontich
ONZE CONTACTINFORMATIE
On the web www.calibrate.be linkedin.com/company/calibrate
twitter.com/calibrators