Embed Size (px)
Citation preview
An Introduction to Drupal SecuritySecurity by Design:
Intros
Chris Teitzel
@technerdteitzel
/in/christeitzel
Chris has been working in Drupal for almost 8 years. During that time he has worked on projects spanning the globe in front-end design, e-commerce and security. His passion is for making technology accessible to all skillsets.
Founder / CEO Lockr
2
Intros
Luke Probasco
Presenter Photo
@geetarluke
/in/lukeprobasco/
Manages Drupal business for Townsend Security. DrupalCon, Camp, and Summit speaker. Security professional. Music enthusiast.
Drupal GM/Townsend Security
3
Intros
Mark Shropshire (shrop)
@shrop
/in/markshropshire
drupal.org
Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. He is also the maintainer of the Guardr Drupal security module suite.
Mediacurrent Open Source Security Lead
4
Style Guide
Contents
Security by design in Drupal
Encrypting sensitive data
Key management (encryption & API)4
3
2
1
5
Site audit and security best practices
Resources to improve security5
Style Guide6 Takeaways
Security by design in Drupal1
7
Security by Design
8
Compliance, Security, and You● Data discovery● PCI DSS, HIPAA, GDPR, etc.● Hosting and compliance● See your security team for internal policies and controls
Security by Design
9
Keep Drupal Secure● Keep Core and contrib modules up to date● Use Drupal API● Use version control● Use social and enterprise login● Use secure passwords● Two factor authentication● Log and review logs (watchdog and additional contrib)● Don’t forget about infrastructure security
Security by Design
10
Security in Custom Modules● Never trust user input
○ Filter plain text with check_plain() or t()○ Filter HTML with filter_xss()
● Query properly○ Do not concatenate values into db_query()○ Instead use parameterized values %s %d %f %b
● Do not output db values directly (don’t trust user input)● Protect user input - think before you save
Security by Design
Site audit and security best practices2
12
What is an audit?● Review by someone not on the team
○ (internal or external)● Review of software systems● Review of supporting infrastructure● Review of other related systems
Site audit and security best practices
13
Performing an audit● Collect data manually and with tools
○ Analyze the data○ Prioritize findings
● Eliminate false positives● Complete usable report(s)
Site audit and security best practices
14
OWASP Top 10 Most Critical Web Application Security Risks
● Injection● Weak authentication and session management● XSS● Insecure Direct Object References● Security Misconfiguration● Sensitive Data Exposure● Missing Function Level Access Control● Cross Site Request Forgery● Using Components with Known Vulnerabilities● Unvalidated Redirects and Forwards
Site audit and security best practices
15
Drupal audit tools● Drupal Core reports● Site Audit● Security Review● Sensitive Data● Hacked!● Coder● Review of site config, users, permissions, and roles● Manual code review
Site audit and security best practices
Encrypting sensitive data3
17
Encrypting Data in Drupal● There is no native way to encrypt data in Drupal● Compliance and risk management drive encryption● Use encryption based on industry standards● Use cryptographically strong keys - no passwords!● See NIST Special Publication 800-57 for more info
Encrypting Sensitive Data
18
What Encryption Should I Use?● Use AES, RSA, Triple DES, or other standard methods● Beware of non-standard encryption● Example: Homomorphic Encryption
○ Has not received wide review and acceptance○ Cannot be certified by a standards body○ Cannot achieve FIPS 140-2 validation○ Compliance regulations prohibit its use
Encrypting Sensitive Data
Key management (encryption & API)4
20
McDonald's has acknowledged that a leaky API exposed personal information for users of its
McDelivery mobile app in India. The flaw exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of
those homes, as well as links to social media profiles.BankInfoSecurity.com
Key Management
21
Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US... Through the AWS
API, the actor created several instances in our infrastructure to do reconnaissance.
OneLogin.com
Key Management
22
Payment Gateways
EmailMarketing
SMTP Relays Authentication
Shipping Cloud Providers Encryption APIs
Key Management
Resources to improve security5
24
Encryption Modules● Encrypt● FieldEncrypt● Real AES● Encrypt User● Encrypted Files● Webform Encrypt
Resources to Improve Security
25
Key Management Modules● Key● Townsend Security Key Connection● Lockr
Resources to Improve Security
26
GuardrGuardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements.https://drupal.org/project/guardr
Resources to Improve Security
Takeaways6
