Understanding and Implementing Website Security
Understanding and Implementing Website Security
Pantheon.io
Hi, I’m Drew Gorton
● Director of Agency and Community
Outreach, Pantheon
● Founder, Gorton Studios (2001)
● Co-founder, NodeSquirrel (2012)
● Drupal 4.4 (~2004)
● Drupal Twin Cities
● @dgorton
Web CMS is RiskyThe Elephant in the Room
● Web Content Management is
inherently dangerous
● Connected to the internet
● Edited via the internet
3
Data BreachesHave Become Commonplace
4
● http://www.informationisbeautif
ul.net/visualizations/worlds-big
gest-data-breaches-hacks/
●
I’m So Tiny!Surely not me?
● You are a target
● You have:� Computing power
� Access to nearby systems
� Visitors with vulnerable browsers
� Information
� PII? Transactions? Donations?
● Robots don’t care
5
Website SecurityIs Not Binary
● Not On or Off
● “Is my website secure?” not a Yes / No question
6https://flic.kr/p/h4TA84
Website SecurityLessons from the Real World
Safe Ratings
● Time (5 mins, 30 mins, …)
● Tools (hammer, drill, power, …)
● People (skill, number, …)
7https://flic.kr/p/5GPgE1
Website SecurityIs a Continuum
● Perfect security is a myth
● There will always be gaps
● Be prepared
8
Today’s GoalsOur Agenda
● Understand Landscape
● Have Fewer, Smaller Gaps
● Better Preparedness
● Looking at Layers of Security
9https://flic.kr/p/5d4nKx
Our LayersDrupal is Just One Piece ● Platform
� Linux, Apache, MySQL, PHP …
● Application
� Drupal, WordPress…
● Organizational
� Habits, procedures, planning…
10https://flic.kr/p/dp3nGo
Platform LayerThe Stack Drupal Uses
● Linux
● Apache / NGINX
● MySQL / MariaDB
● PHP
● Varnish
● Memcached / Redis
● Solr
● …
● http://www.linuxsecurity.com
11https://flic.kr/p/mmgwkx
You Do Not Want This Monkey*
12https://flic.kr/p/p8z6wN
Use Drupal Hosting
13
https://www.drupal.org/hosting
Buyer Beware
14
Not All Hosting Is Equal
Traditional Hosting
15
Even Messier in the Real World
Platform Security
16
There is a Better Way
17
How did you handle Heartbleed?
How did you handle DrupalGeddon?
Choose Hosts Wisely
Application LayerSecurity in Drupal
● Configuration
● Modules
● Security Team and Procedures
● Coding Best Practices
18https://flic.kr/p/9Vx4ra
FlexibilityDrupal’s Great Strength and Weakness
● (Mis) Configuration
● True or False?
● You can configure Drupal so that
Anonymous Users can ____
� Upload images
� Change files
� Edit the homepage
� Turn on modules
� Change themes
19https://flic.kr/p/nze5Em
Secure ConfigurationThe Most Important Thing You Can Do
● Secure User 1� No simple passwords� Don’t share passwords across sites� Doesn’t have to be ‘admin’
● Permissions & Roles� Administer * is powerful� Administer filters can pwn site
● No PHP (!!!)● Update module
� Wednesdays are security releases� Turn it on. Get the notifications. Do
them
20https://flic.kr/p/5pGcyx
Drupal ModulesImproving Security with Contrib ● Password Policy and Password Strength
● Security Review
● Security Kit (Seckit)
● Hacked!
● Paranoia
● Permissions Lock
● Login Security
● Automated Logout
● Two Factor Authentication
21https://flic.kr/p/5d4nKx
Security TeamOur Fearless Defenders
● Drupal 7 & 8 Core + Contrib
● Wednesdays are releases
● Process & Procedure
● Drupal 6 coverage available
22https://flic.kr/p/5d4nKx
Secure CodingBest Practices
● Writing Secure Code (Drupal.org)
● Cracking Drupal - OWASP 10
and Drupal
● SQL Injection
● XSS
● CRSF
23https://flic.kr/p/3dvqhG
SQL Injection
24
As Illustrated by XKCD
db_query()
https://www.drupal.org/node/101496
http://xkcd.com/327/
Secure CodingBest Practices
● JavaScript to run browser actions
● Up to 64% of websites vulnerable
● Everything you can do, XSS can do
better
● Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(), check_markup()
● t() function
● https://www.drupal.org/node/2898
4
25https://flic.kr/p/5ALBHy
Secure CodingBest Practices
● Actions on another site
● <a
href="http://bank.com/
xfer.do?acct=123&amt=10000
">View my Pictures!</a>
● Forms API , drupal_get_token(),
drupal_valid_token()
● https://www.drupal.org/node/1788
96
26https://flic.kr/p/bSkp8r
Organization LayerSecure Processes
● Safe Network Usage
● Secure Code Management
● Secure Support
27https://flic.kr/p/5kaEda
Secure NetworkingBuild Good Habits
● HTTPS / SSL
� LetsEncrypt.org
� CloudFlare
� Others
● SFTP (No FTP!)
● Wireless Caution
28https://flic.kr/p/6v1J1m
Secure Code ManagementTake care of your code
● Use Version Control Software (VCS)
like Git
● Sanitize Data on transfer -
drushcommands.com/drush-8x/sql
/sql-sanitize
● Secure your Keys - https://lockr.io
29https://flic.kr/p/9BkXKV
Secure SupportTake care of your clients
● Catalog your sites
● Wednesdays - be ready
● Who is responsible?
● Who helps them?
● How do they escalate?
● Emergency Procedures
● Run the drill!
30https://flic.kr/p/rEwbwL
31
● Use a secure (reliable, performant) Drupal host
● Configure Drupal carefully
● Use Security-enhancing Drupal modules
● Follow Drupal coding best practices
● Use secure communications (HTTPS, SFTP, …)
● Have secure code management habits
● Have clear support practices and procedures
In Summary