Drupal security best practices
-
Upload
owen-winkler -
Category
Technology
-
view
4.831 -
download
1
description
Transcript of Drupal security best practices
![Page 1: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/1.jpg)
SECURITY 101Some of what you need to know
Owen WinklerRock River Star
http://RockRiverStar.com/@ringmaster
![Page 2: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/2.jpg)
The plan
What security is Security on the web Types of threats Tools and sites Impact of Security
![Page 3: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/3.jpg)
What security is
![Page 4: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/4.jpg)
Wikipedia Says
Ancient Greek “Se-Cura” – “without fear”
Obtain freedom from fear
![Page 5: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/5.jpg)
Layers of Security
gate house safe
![Page 6: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/6.jpg)
Convenience
![Page 7: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/7.jpg)
What to do when my crap gets stolen…
Call cops Replace it Steal it back File insurance claim
![Page 8: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/8.jpg)
Just like real security
Computer security
![Page 9: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/9.jpg)
Application Security
Password Strength Social Engineering
![Page 10: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/10.jpg)
Password Strength
http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
Top 20 Passwordspassword1, abc123, myspace1,
password, blink182, qwerty1, fuckyou, 123abc, baseball1,
football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23,
slipknot1, superman1, iloveyou1,
And of course… monkey
![Page 11: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/11.jpg)
Passwords
People don’t care L3tt3r5 a5 numb3r5 Master password Signed logins Sharing and storing Two-factor!
![Page 12: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/12.jpg)
The inverse of layered security is…
Site Password Database password Server password Account password Datacenter access Global economic failure Thermonuclear war
![Page 13: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/13.jpg)
Permissions
Authentication vs. Authorization See only authorized information Post-deployment accounts
![Page 14: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/14.jpg)
Vulnerabilities
From wikipedia: A weakness that makes a threat possible
Input validation XSRF – Cross site request forgery XSS – Cross site scripting SQL-I – SQL injection
![Page 15: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/15.jpg)
Input Validation
Every input & every output Filter for what you want Validation in Drupal
Ajax View arguments PHP execution Input filters check_plain() and check_markup()
![Page 16: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/16.jpg)
XSS Bad input/output filtering Elevated user privileges
![Page 17: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/17.jpg)
XSRF
Form on a remote site Social engineering
![Page 18: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/18.jpg)
![Page 19: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/19.jpg)
SQL injection
Bad input filtering Insert from the querystring Drupal mostly safe
![Page 20: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/20.jpg)
Testing
Automated testing Eyeball inspection Expectation
![Page 21: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/21.jpg)
Drupal Security
Direct advisories – http://drupal.org/security
Contrib – http://drupal.org/security/contrib
New Reports: [email protected]
![Page 22: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/22.jpg)
Server permissions
Computer-level security User uploads
File types Sizes SFTP Directories
![Page 23: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/23.jpg)
chmod & chown
Mode settings Three octal values UGO – User, Group, Other RWX – Read (4), Write (2), Execute
(1)sudo chmod -R ugo+r *
chown sets owner:groupsudo chown -R owen:apache *
What is +s?
![Page 24: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/24.jpg)
Hosting & PHP
Up to date Patched applications eval() and other evils Performance Reliability
![Page 25: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/25.jpg)
Backups
s3cmd rsync Subversion! Host-based recovery
![Page 26: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/26.jpg)
Impact of Implementation
Why I care about you: Bot-nets
Appreciative users & clients
![Page 27: Drupal security best practices](https://reader034.fdocuments.us/reader034/viewer/2022052618/548d9fb4b47959190d8b65c2/html5/thumbnails/27.jpg)
Any questions or additional topics?
Security 101