Protect Your Drupal Site Against Common Security Attacks @greggles [email protected] Tuesday, October 25, 2011
May 12, 2015
Protect Your Drupal Site Against Common Security Attacks
Tuesday, October 25, 2011
Agenda
• Security theory- general ideas- what it means to be a “Vendor”- what are other vendors doing?
• Security Review module• Acquia Security Audits
Tuesday, October 25, 2011
• Vuln is not a problem until someone exploits it• Least privilege• Validate on input, filter on output• Out of band communication- Multi factor authentication
• Logging• Defense in depth
Some General Theories
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
• DrupalSecurityReport.org• What is Drupalʼs vendor process?
Is Drupal secure enough?
Tuesday, October 25, 2011
What is the flow?
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
Tuesday, October 25, 2011
What is public/private?*
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
Private
Public
*ideal case
Tuesday, October 25, 2011
Where are you at risk?
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
Tuesday, October 25, 2011
Disclosure concepts
• Full disclosure: - immediately disclose to world- Allow people to fix/protect themselves
• Responsible disclosure:- Disclose to vendor privately- Wait up to 6 months for vendor fix/announcement- Patch available with news
Tuesday, October 25, 2011
Where are you at risk?
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
FD
Tuesday, October 25, 2011
Where are you at risk?
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
RD
Tuesday, October 25, 2011
Who is responsible?
• Vulnerability introduced in code• Issue gets reported• Maintainer is notified & fixes• Review/discussion• Security Advisory written, commit, release• Release and announce• Deployed on all sites
teamteam+dev
researcherdev
Tuesday, October 25, 2011
Best practices as a vendor
What is everyone else doing?
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Comparing
• Given enough eyeballs, all bugs are shallow.• Prevention of issues: education• Smooth reporting• Announce, deploy updates
Tuesday, October 25, 2011
Try this
• search for - “write secure code $project_name”- “report security issue $project_name”- “security release $project_name”
Tuesday, October 25, 2011
Tuesday, October 25, 2011
This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to
ship fixes as fast as possible because it keeps people safe.Mozilla Security Blog
2010 revenue: $104,000,000+ expenses $60,000,000+
Tuesday, October 25, 2011
Chrome, Firefox bounties
• Mozilla: $0 to $3,000 http://www.mozilla.org/security/bug-bounty.html
• Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html
• Tipping Point Zero Day Initiative: $100 to $2,000+• Drupal: $0
Tuesday, October 25, 2011
Browser Updates
• Blogs, tweets, mails and in app notifications• Automatic updates enabled by default• Download compressed binary diffs• Pretty reliable
(remember, $104,000,000/year budget)
Tuesday, October 25, 2011
WordPress
• Usability focused• Blogging focused• Increasingly feature rich
Tuesday, October 25, 2011
Education/reporting
• http://codex.wordpress.org/Category:WordPress_Development - zero security
• E-mail based reporting system• Plugins - hosted anywhere- Plugins on WP.org not as rigorously reviewed- Plugins elsewhere not reviewed- Some in svn/Trac plugins.trac.wordpress.org/browser/
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application notification tools
• News for core: wordpress.org/news/category/security• No official, security-focused twitter (?)
• Popularity + Limited official channel = NOISE
Tuesday, October 25, 2011
Github: Suzieʼs System!
• Github has no built-in facility• Project maintainers have to build it
Infrastructure has value
Tuesday, October 25, 2011
Drupal
• Focused on...• Can do whatever• Modules usually hosted on drupal.org• Project application process is rigorous, but flawed• Centralized code hosting git/gitweb drupalcode.org
Tuesday, October 25, 2011
Education/Reporting
• Handbooks put security as a priority• New contributor process includes security review- Doesnʼt cover all projects- There are ways around it
• E-mail based reporting process- no registration required- moving to optional ticket submission for improved efficiency
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application tools
• Main handbook has solid security docs• News & feeds for core and contrib• Announcement e-mail list• @drupalsecurity, @drupal_security• Limited 3rd party noise
Tuesday, October 25, 2011
Security Review module
• Freely available module• Identifies mistakes in permissions & configuration• Has drush integration• Hands on demo
http://drupal.org/project/security_review
Tuesday, October 25, 2011
How Acquia Can Help
• Acquia Security Audit• Acquia Insight
Tuesday, October 25, 2011
How Acquia Can Help
• 1 week long engagement• Most vulnerabilities are found in site specific - themes- configurations- modules
• Drupal core and contrib may be safe, is your code?
Tuesday, October 25, 2011
What do we do?
• Automated static code analysis• Penetration testing• Public and Acquia-developed tools
Tuesday, October 25, 2011
What is the output?
Tuesday, October 25, 2011
Photos photos
• http://www.flickr.com/photos/jdhancock/3760104591/• http://www.flickr.com/photos/danielsphotography/466435567/• http://www.flickr.com/photos/38485387@N02/3580728177/• http://www.flickr.com/photos/tchi-tcha/2447184214
Tuesday, October 25, 2011