drupal security - configuration and process
DESCRIPTION
"Drupal security - Configuration and process" session slides from Drupalcon Copenhagen. Co-prepared and co-presented with Ben Jeavons from Growing Venture Solutions (http://growingventuresolutions.com/)TRANSCRIPT
VPS.net24. aug 14:45
Drupal SecurityGábor Hojtsy & Ben Jeavons
Tuesday, August 31, 2010
Who we are
• Ben Jeavons
• Drupal Security Report
• Growing Venture Solutions
• Security Team Member
• Gábor Hojtsy
• Drupal 6 co-maintainer
• Acquia
• Security Team Member
Tuesday, August 31, 2010
Web security
• Protecting resources from abuse
• Protecting data
• Protecting available actions
• Attackers exploit a weakness to do harm
Tuesday, August 31, 2010
Demo
• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site offline
Tuesday, August 31, 2010
66%likeliness a website has
Cross Site Scripting
http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
Tuesday, August 31, 2010
Vulnerabilities by popularity
XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers
48%
16%
10%
3%
4%
7%
12%
http://drupalsecurityreport.org
Tuesday, August 31, 2010
Lots of risks
• Prioritize your actions
• Secure configuration
• Careful processes
• Keep code up-to-date
• Audit custom code
Tuesday, August 31, 2010
Smart configuration
• Control user input
• Input formats
• Trust
• Roles and permissions
Tuesday, August 31, 2010
Input formats
• Input formats control what happens when user-supplied data is displayed
Tuesday, August 31, 2010
Input formats
• Filtered HTML for untrusted roles
• Full HTML for completely trusted roles
Tuesday, August 31, 2010
Filtered HTML
• HTML filter
• Limits the allowed tags
Tuesday, August 31, 2010
Unsafe HTML tags
• Script tags or any that allow JS events
• <script>
• Any that allow URL reference
• <img>
Tuesday, August 31, 2010
No image tags?!
• Image tags allow for CSRF attacks
• It’s a matter of trust
• Use CCK & imagefield
• Use control access to Full HTML
Tuesday, August 31, 2010
Trust
• Know your roles
• Which users have which roles
• How roles are granted
Tuesday, August 31, 2010
“Super-admin” permissions
• Administer permissions
• Administer users
• Administer filters
• Administer content types
• Administer site configuration
Tuesday, August 31, 2010
Trust
• Utilize principle of Least Privilege
• Grant only the necessary permissions to carry out the required work
Tuesday, August 31, 2010
Tuesday, August 31, 2010
Recovering from attack
• Restore from backup
• Upgrade to latest security releases
• Change your passwords
• Audit your configuration & custom code
Tuesday, August 31, 2010
Backups
• You do have backups, don’t you?
• phpMyAdmin > Export
• mysqldump on the command line
• Be sure to check they worked!
Tuesday, August 31, 2010
Open source is secure
• Source code is open for people to look at
• Popularity means eyes on code
• Collaboration increases code quality
Tuesday, August 31, 2010
Drupal is secure
• Drupal APIs are designed to be secure
• http://drupal.org/writing-secure-code
Tuesday, August 31, 2010
Drupal security team
• Team of volunteers
• Support core and all(!) of contrib
• Not actively reviewing all contrib projects
Tuesday, August 31, 2010
Security Advisories
• Only stable project releases
• SAs on Wednesdays
• New core release types
• Bug fix release / Security fix release
Tuesday, August 31, 2010
Stay up-to-date
• Know about security updates
• Security Advisories
• Update status module
• Mailing list, RSS, Twitter
• Apply them!
Tuesday, August 31, 2010
Security updates
• Most security updates are small
• But not always
• Apply updates to development instance
• Test, then apply to production
Tuesday, August 31, 2010
FTP
• Do not use it!
• Common vector for attack
• Really, we’ve moved past plain-text
Tuesday, August 31, 2010
SFTP
• “Secure” FTP
• Your host should provide it
• If not, consider a new one
Tuesday, August 31, 2010
SSL
• Run Drupal on full SSL
• Use securepages and securepages_prevent_hijack modules
• http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions-https
• Use a valid certificate
Tuesday, August 31, 2010
Security Review
• http://drupal.org/project/security_review
• File system permissions
• Granted “super-admin” permissions
• Input formats
• Allowed upload extensions
• PHP & Javascript in content
Tuesday, August 31, 2010
• Security Advisories
• http://drupal.org/security
• Handbooks
• http://drupal.org/security/secure-configuration
• http://drupal.org/writing-secure-code
• Cracking Drupal Book
• http://crackingdrupal.com
• http://www.owasp.org/
Tuesday, August 31, 2010
http://cph2010.drupal.org/node/12628
Tuesday, August 31, 2010