Understanding and Implementing Website Security

Pantheon.io

Hi, I’m Drew Gorton

● Director of Agency and Community

Outreach, Pantheon

● Founder, Gorton Studios (2001)

● Co-founder, NodeSquirrel (2012)

● Drupal 4.4 (~2004)

● Drupal Twin Cities

● @dgorton

● drew@pantheon.io

Web CMS is RiskyThe Elephant in the Room

● Web Content Management is

inherently dangerous

● Connected to the internet

● Edited via the internet

3

Data BreachesHave Become Commonplace

4

● http://www.informationisbeautif

ul.net/visualizations/worlds-big

gest-data-breaches-hacks/

●

I’m So Tiny!Surely not me?

● You are a target

● You have:� Computing power

� Access to nearby systems

� Visitors with vulnerable browsers

� Information

� PII? Transactions? Donations?

● Robots don’t care

5

Website SecurityIs Not Binary

● Not On or Off

● “Is my website secure?” not a Yes / No question

6https://flic.kr/p/h4TA84

Website SecurityLessons from the Real World

Safe Ratings

● Time (5 mins, 30 mins, …)

● Tools (hammer, drill, power, …)

● People (skill, number, …)

7https://flic.kr/p/5GPgE1

Website SecurityIs a Continuum

● Perfect security is a myth

● There will always be gaps

● Be prepared

8

Today’s GoalsOur Agenda

● Understand Landscape

● Have Fewer, Smaller Gaps

● Better Preparedness

● Looking at Layers of Security

9https://flic.kr/p/5d4nKx

Our LayersDrupal is Just One Piece ● Platform

� Linux, Apache, MySQL, PHP …

● Application

� Drupal, WordPress…

● Organizational

� Habits, procedures, planning…

10https://flic.kr/p/dp3nGo

Platform LayerThe Stack Drupal Uses

● Linux

● Apache / NGINX

● MySQL / MariaDB

● PHP

● Varnish

● Memcached / Redis

● Solr

● …

● http://www.linuxsecurity.com

11https://flic.kr/p/mmgwkx

You Do Not Want This Monkey*

12https://flic.kr/p/p8z6wN

Use Drupal Hosting

13

https://www.drupal.org/hosting

Buyer Beware

14

Not All Hosting Is Equal

Traditional Hosting

15

Even Messier in the Real World

Platform Security

16

There is a Better Way

17

How did you handle Heartbleed?

How did you handle DrupalGeddon?

Choose Hosts Wisely

Application LayerSecurity in Drupal

● Configuration

● Modules

● Security Team and Procedures

● Coding Best Practices

18https://flic.kr/p/9Vx4ra

FlexibilityDrupal’s Great Strength and Weakness

● (Mis) Configuration

● True or False?

● You can configure Drupal so that

Anonymous Users can ____

� Upload images

� Change files

� Edit the homepage

� Turn on modules

� Change themes

19https://flic.kr/p/nze5Em

Secure ConfigurationThe Most Important Thing You Can Do

● Secure User 1� No simple passwords� Don’t share passwords across sites� Doesn’t have to be ‘admin’

● Permissions & Roles� Administer * is powerful� Administer filters can pwn site

● No PHP (!!!)● Update module

� Wednesdays are security releases� Turn it on. Get the notifications. Do

them

20https://flic.kr/p/5pGcyx

Drupal ModulesImproving Security with Contrib ● Password Policy and Password Strength

● Security Review

● Security Kit (Seckit)

● Hacked!

● Paranoia

● Permissions Lock

● Login Security

● Automated Logout

● Two Factor Authentication

21https://flic.kr/p/5d4nKx

Security TeamOur Fearless Defenders

● Drupal 7 & 8 Core + Contrib

● Wednesdays are releases

● Process & Procedure

● Drupal 6 coverage available

22https://flic.kr/p/5d4nKx

Secure CodingBest Practices

● Writing Secure Code (Drupal.org)

● Cracking Drupal - OWASP 10

and Drupal

● SQL Injection

● XSS

● CRSF

23https://flic.kr/p/3dvqhG

SQL Injection

24

As Illustrated by XKCD

db_query()

https://www.drupal.org/node/101496

http://xkcd.com/327/

Secure CodingBest Practices

● JavaScript to run browser actions

● Up to 64% of websites vulnerable

● Everything you can do, XSS can do

better

● Use Filters! check_url(),

check_plain(), filter_xss(),

filter_xss_admin(), check_markup()

● t() function

● https://www.drupal.org/node/2898

4

25https://flic.kr/p/5ALBHy

Secure CodingBest Practices

● Actions on another site

● <a

href="http://bank.com/

xfer.do?acct=123&amt=10000

">View my Pictures!</a>

● Forms API , drupal_get_token(),

drupal_valid_token()

● https://www.drupal.org/node/1788

96

26https://flic.kr/p/bSkp8r

Organization LayerSecure Processes

● Safe Network Usage

● Secure Code Management

● Secure Support

27https://flic.kr/p/5kaEda

Secure NetworkingBuild Good Habits

● HTTPS / SSL

� LetsEncrypt.org

� CloudFlare

� Others

● SFTP (No FTP!)

● Wireless Caution

28https://flic.kr/p/6v1J1m

Secure Code ManagementTake care of your code

● Use Version Control Software (VCS)

like Git

● Sanitize Data on transfer -

drushcommands.com/drush-8x/sql

/sql-sanitize

● Secure your Keys - https://lockr.io

29https://flic.kr/p/9BkXKV

Secure SupportTake care of your clients

● Catalog your sites

● Wednesdays - be ready

● Who is responsible?

● Who helps them?

● How do they escalate?

● Emergency Procedures

● Run the drill!

30https://flic.kr/p/rEwbwL

31

● Use a secure (reliable, performant) Drupal host

● Configure Drupal carefully

● Use Security-enhancing Drupal modules

● Follow Drupal coding best practices

● Use secure communications (HTTPS, SFTP, …)

● Have secure code management habits

● Have clear support practices and procedures

In Summary

Questions?Polly Wants a Cracker!

● @dgorton

● drew@pantheon.io

32https://flic.kr/p/pqiJNt