Top Banner
Protect Your Drupal Site Against Common Security Attacks @greggles [email protected] Tuesday, October 25, 2011
44

Protect Your Drupal Site Against Common Security Attacks

May 12, 2015

Download

Technology

Acquia

Acquia Webinar [Oct 25, 2011]: Protect Your Drupal Site Against Common Security Attacks

Recording: http://acquia.com/resources/recorded_webinars
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Protect Your Drupal Site Against Common Security Attacks

Protect Your Drupal Site Against Common Security Attacks

@[email protected]

Tuesday, October 25, 2011

Page 2: Protect Your Drupal Site Against Common Security Attacks

Agenda

• Security theory- general ideas- what it means to be a “Vendor”- what are other vendors doing?

• Security Review module• Acquia Security Audits

Tuesday, October 25, 2011

Page 3: Protect Your Drupal Site Against Common Security Attacks

• Vuln is not a problem until someone exploits it• Least privilege• Validate on input, filter on output• Out of band communication- Multi factor authentication

• Logging• Defense in depth

Some General Theories

Tuesday, October 25, 2011

Page 4: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 5: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 6: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 7: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 8: Protect Your Drupal Site Against Common Security Attacks

• DrupalSecurityReport.org• What is Drupalʼs vendor process?

Is Drupal secure enough?

Tuesday, October 25, 2011

Page 9: Protect Your Drupal Site Against Common Security Attacks

What is the flow?

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

Tuesday, October 25, 2011

Page 10: Protect Your Drupal Site Against Common Security Attacks

What is public/private?*

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

Private

Public

*ideal case

Tuesday, October 25, 2011

Page 11: Protect Your Drupal Site Against Common Security Attacks

Where are you at risk?

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

Tuesday, October 25, 2011

Page 12: Protect Your Drupal Site Against Common Security Attacks

Disclosure concepts

• Full disclosure: - immediately disclose to world- Allow people to fix/protect themselves

• Responsible disclosure:- Disclose to vendor privately- Wait up to 6 months for vendor fix/announcement- Patch available with news

Tuesday, October 25, 2011

Page 13: Protect Your Drupal Site Against Common Security Attacks

Where are you at risk?

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

FD

Tuesday, October 25, 2011

Page 14: Protect Your Drupal Site Against Common Security Attacks

Where are you at risk?

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

RD

Tuesday, October 25, 2011

Page 15: Protect Your Drupal Site Against Common Security Attacks

Who is responsible?

• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites

teamteam+dev

researcherdev

Tuesday, October 25, 2011

Page 16: Protect Your Drupal Site Against Common Security Attacks

Best practices as a vendor

What is everyone else doing?

Tuesday, October 25, 2011

Page 17: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 18: Protect Your Drupal Site Against Common Security Attacks

Comparing

• Given enough eyeballs, all bugs are shallow.• Prevention of issues: education• Smooth reporting• Announce, deploy updates

Tuesday, October 25, 2011

Page 19: Protect Your Drupal Site Against Common Security Attacks

Try this

• search for - “write secure code $project_name”- “report security issue $project_name”- “security release $project_name”

Tuesday, October 25, 2011

Page 20: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 21: Protect Your Drupal Site Against Common Security Attacks

This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to

ship fixes as fast as possible because it keeps people safe.Mozilla Security Blog

2010 revenue: $104,000,000+ expenses $60,000,000+

Tuesday, October 25, 2011

Page 22: Protect Your Drupal Site Against Common Security Attacks

Chrome, Firefox bounties

• Mozilla: $0 to $3,000 http://www.mozilla.org/security/bug-bounty.html

• Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html

• Tipping Point Zero Day Initiative: $100 to $2,000+• Drupal: $0

Tuesday, October 25, 2011

Page 23: Protect Your Drupal Site Against Common Security Attacks

Browser Updates

• Blogs, tweets, mails and in app notifications• Automatic updates enabled by default• Download compressed binary diffs• Pretty reliable

(remember, $104,000,000/year budget)

Tuesday, October 25, 2011

Page 24: Protect Your Drupal Site Against Common Security Attacks

WordPress

• Usability focused• Blogging focused• Increasingly feature rich

Tuesday, October 25, 2011

Page 25: Protect Your Drupal Site Against Common Security Attacks

Education/reporting

• http://codex.wordpress.org/Category:WordPress_Development - zero security

• E-mail based reporting system• Plugins - hosted anywhere- Plugins on WP.org not as rigorously reviewed- Plugins elsewhere not reviewed- Some in svn/Trac plugins.trac.wordpress.org/browser/

Tuesday, October 25, 2011

Page 26: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 27: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 28: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 29: Protect Your Drupal Site Against Common Security Attacks

Out of application notification tools

• News for core: wordpress.org/news/category/security• No official, security-focused twitter (?)

• Popularity + Limited official channel = NOISE

Tuesday, October 25, 2011

Page 30: Protect Your Drupal Site Against Common Security Attacks

Github: Suzieʼs System!

• Github has no built-in facility• Project maintainers have to build it

Infrastructure has value

Tuesday, October 25, 2011

Page 31: Protect Your Drupal Site Against Common Security Attacks

Drupal

• Focused on...• Can do whatever• Modules usually hosted on drupal.org• Project application process is rigorous, but flawed• Centralized code hosting git/gitweb drupalcode.org

Tuesday, October 25, 2011

Page 32: Protect Your Drupal Site Against Common Security Attacks

Education/Reporting

• Handbooks put security as a priority• New contributor process includes security review- Doesnʼt cover all projects- There are ways around it

• E-mail based reporting process- no registration required- moving to optional ticket submission for improved efficiency

Tuesday, October 25, 2011

Page 33: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 34: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 35: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 36: Protect Your Drupal Site Against Common Security Attacks

Tuesday, October 25, 2011

Page 37: Protect Your Drupal Site Against Common Security Attacks

Out of application tools

• Main handbook has solid security docs• News & feeds for core and contrib• Announcement e-mail list• @drupalsecurity, @drupal_security• Limited 3rd party noise

Tuesday, October 25, 2011

Page 38: Protect Your Drupal Site Against Common Security Attacks

Security Review module

• Freely available module• Identifies mistakes in permissions & configuration• Has drush integration• Hands on demo

http://drupal.org/project/security_review

Tuesday, October 25, 2011

Page 39: Protect Your Drupal Site Against Common Security Attacks

How Acquia Can Help

• Acquia Security Audit• Acquia Insight

Tuesday, October 25, 2011

Page 40: Protect Your Drupal Site Against Common Security Attacks

How Acquia Can Help

• 1 week long engagement• Most vulnerabilities are found in site specific - themes- configurations- modules

• Drupal core and contrib may be safe, is your code?

Tuesday, October 25, 2011

Page 41: Protect Your Drupal Site Against Common Security Attacks

What do we do?

• Automated static code analysis• Penetration testing• Public and Acquia-developed tools

Tuesday, October 25, 2011

Page 42: Protect Your Drupal Site Against Common Security Attacks

What is the output?

Tuesday, October 25, 2011

Page 43: Protect Your Drupal Site Against Common Security Attacks

Thanks!

Questions?

Contact:[email protected]@greggles

Tuesday, October 25, 2011