training: best practices for drupal security
TRANSCRIPT
Training: Best Practices for Drupal Security
Cash WilliamsTechnical ConsultantAcquia
Ben JeavonsSr. Software EngineerAcquia
David StolineTechnical ConsultantAcquia
Drupal Security
Vulnerabilities and risks on the web
Understanding user input and evaluating trust
Tips and further best practices for security
Principle ideas
Don’t trust user input
Stay up-to-date
Defense in depth
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
“traffic at Target tanked after news that hackers stole data from 40 million credit and debit cards used at Target“
http://qz.com/181703/shoppers-decided-to-avoid-target-after-its-giant-data-breach
https://www.flickr.com/photos/roadsidepictures/2923629922
Massive vulnerability Affecting ~66% of the internetAllowed arbitrary memory leaks exposingusernames, passwords, certificate private keys, etc
Heartbleed
Hands-on training
DrupalCon Austin, Monday June 2nd
austin2014.drupal.org/node/1118
Register before May 2nd to save $75
Drupal vulnerabilities and risks
reported in core and contrib SAs from June 1 2005 through October 1 2013, drupalsecurityreport.com
Vulnerabilities by popularity
reported in SAs June 1 2005 through October 1 2013, drupalsecurityreport.com
Vulnerabilities by type
Drupal in the wild
Most vulnerabilities exist
In custom code (modules or themes)
Insecure configuration or practices
Out-of-date code
66% likeliness a website
is vulnerable to Cross-Site Scripting
http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
User input is the root of all evil
User input
What pages have forms?
Nodes and comments
Webforms
Other properties of HTTP requests
Rawuserinput
Output
Trust
Trust
Know your site’s Drupal roles and permissions
Evaluate permissions of new modules
Maintain strong passwords
Trust
Principle of least privilege
Give only the necessary permissions to complete the required work
Admin permissions
Administer permissions
Administer users
Administer filters
Administer content types
Administer site configuration
contrib module admin permissions?
Strong passwords
Ensure administrators have strong passwords
drupal.org/project/password_policy
Best practices
Stay up to date
Follow release schedules
Update Manager
@drupalcore & @drupalsecurity
Apply appropriate updates
Update process
Stage and dev environments for testing changes
Update process
Stage and dev environments for testing changes
drush pm-updatecode
VCS (git) for quick deploys
Backups
If it isn’t tested then it doesn’t work
Backups
How complicated is your restore process?Is every step documented?Can a restore be done by someone filling in for a position?Are there any technical barriers to performing a restore?Are the backups and procedure regularly tested?How long will the restore take?
Logs
Enable logging and save log dataFix application errors and warnings to remove noiseAggregate log data to better analyze
10
PM
DO YOUKNOW WHERE
YOUR DATAARE?
Sensitive Data
Where is sensitive data and is it protected?Ensure a project repo does not have sensitive dataIncluding the repo historyNon-Production databases should be sanitizedUse encryption
Principle ideasfrom today
Principle ideas
Don’t trust user input
Stay up-to-date
Defense in depth
More resources
drupalsecurityreport.com
drupal.org/developing/best-practices
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
Hands-on Training
DrupalCon Austin, Monday June 2DrupalCon Austin, Monday June 2
austin2014.drupal.org/node/1118austin2014.drupal.org/node/1118
Register before May 2nd to save $75Register before May 2nd to save $75
Thank you
Cash Williams@cashwilliams
Ben Jeavons@benswords
David Stoline@unncola