IT Security Cred
✦ https://youtube.googleapis.com/v/am3TmXm3doA?start=1&end=103.7&version=3&autoplay=1
Michael NescotMichael NescotCMS Security Marketing: Drupal vs the
fieldCMS Security Marketing: Drupal vs the
field
Marketing Drupal
CMS Security:TheWideningFunnel
Comparison
✦ Drupal
✦ Joomla
✦ WordPress
✦ Liferay
✦ Sharepoint
Comparison Points
✦ Core Code Repository
✦ API Security
✦ Security Management Model
✦ Hosting Platform & Infrastructure
✦ Security Controls and Tools: FISMA
Repository
✦ Drupal: Open Source, GIT, drupal.org
✦ Joomla: Open Source, GIT, github
✦ Word Press: Open Source, git mirror of subbersion
✦ SharePoint: Closed source, ?, TFS
✦ Liferay: Open source, GIT, github
Free bsd compromise
API✦ Drupal: PHP, Evolving from hook system
(Symfony and Drupal 8, t checkplain, token for forms
✦ Joomla: Add-on: Design patterns based, OO, MVC: jquest, jobjec
✦ WordPress: Hook system, request and db filtering
✦ SharePoint: Server and client object model: moving to App model: REST: memory issues
✦ Liferay: Java, internal and external api accessspring framework, JSP, similary filtering hooks, local and remote invocation (JVM)
API Securtiy
✦ Drupal: s, checkplain, url, dbquery,
✦ Joomla: jfilter
✦ WordPress:
✦ Drupal: cross site scripting, sql injection, access bypass,
✦ Joomla: cross site scripting, sql injection
✦ Word Press: sql injection, cross site scriptiong, cfsr
✦ SharePoint: memory leak
✦ Liferay: cross site scriptionb
Vulnerabilities
WordPress Plugin Vulns
✦ http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
Security Mangement✦ Drupal: Security Team: notices, selective
closure, work with developers to identify and fix, secure coding guide, module review
✦ Joomla: Joomla Security Team: vulnerable extension list, secure coding guide
✦ Word Press:lassiez faire, link to wp security from main sites
✦ SharePoint: Service packs
✦ Liferay: Security team, focused on core
Word Press Extensions
Hosting Platform✦ Drupal: Apache/Nginx,
caching,Mysql/Maria, alternatives, self-host, cloud, Fedramp
✦ Joomla: LAMP
✦ WordPress: Commercial hosting
✦ SharePoint: Office 365 (FISMA cert) Azure AWS, Rackspace
✦ Liferay: Selfhost
Security Tools & extensions✦ Permissions
✦ Federated Identity & Authentication (two-factor auth)
✦ Vulnerabilty Assessment
✦ Hardening
✦ Continous Monitoring
Permissions✦ Drupal: Granlar seciryt, easy to create
permissions: access from menu system, LDAP groups
✦ Joomla: RBC
✦ WordPress
✦ SharePoint: SharePoint groups and roles, mapped to ad groups, site collection admins, elevae
✦ Liferay: local
AuthenticationFederated Id
✦ Drupal: SAML, SMS, oauth, PIV, wikid
✦ Joomla: yubikey
✦ Wordpress
✦ Sharepoint: claims-based identity, membership provider (AD)
✦ Liferay
vuln assessment
✦ Drupal: security review, secure coding,dpscan
✦ Joomla:
✦ WordPress
✦ SharePoint
✦ Liferay:
Hardening✦ Drupal: Linux extensions, Hardened
Drupal, Guardr
✦ Joomla
✦ WordPress: ultimate securitymodule
✦ SharePoint: separation, kerberos
✦ Liferay
Continuous Monitoroing✦ Drupal: Nagios, monitoring, mongob
watchdog, OSSIM plugin, watchdog syslog, dblog, logstash
✦ Joomla: commercial monitoring
✦ WordPress: commercial monitoring
✦ SharePoint: System Center
✦ Liferay: commercial
Drupal security incident
✦ Drupal.org compromised
✦ sophisticated automated testing and deployment
✦ third party
✦ every system has multiple vulnerabilities
Security Rockstar