Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
0 likes476 views
This document outlines the schedule and content for a workshop on verifying Drupal modules using OWASP ASVS 2014. The workshop will involve setting up a vulnerable Drupal 7 site using VirtualBox and Vagrant, learning about security standards and ASVS chapters, auditing the site against ASVS requirements, fixing any issues found, and selected participants presenting their results. The day-long workshop schedule includes sessions for setup and theory, auditing, fixing issues, a break, more fixing, and concluding presentations.
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<?php
global $requirements;
$report = "";
do {
$requirement = array_pop ( $requirements ) ;
$audit_results = do_audit_with ( $requirement );
$report .= $audit_results;
$requirements[] = $requirement;
} while (time() < strtotime('2015-03-19 12:30:00 CET'))
auditing.php](https://image.slidesharecdn.com/2015-drupal-sdlc-workshop-150323073150-conversion-gate01/85/Verifying-Drupal-modules-with-OWASP-ASVS-2014-European-Drupal-Days-2015-22-320.jpg)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
- 1. © Ibuildings 2014/2015 - All rights reserved #DrupalDaysEU Verifying Drupal modules with OWASP ASVS 2014
- 2. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
- 3. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Media Sponsors Silver Sponsors
- 4. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable. Intro
- 5. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities: - Injection of various kinds (JavaScript, HTML, SQL, XML, etc) - Missing Authentication or Authorization - Cross Site Request Forgery (CSRF) - Denial of Service - Abuse of functionality - Information Leakage - and more. A laptop with VirtualBox installed is advised. Intro
- 6. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • 09:30 - 10:00 Setup & Theory • 10:00 - 11:00 Auditing • 11:00 - 11:30 Fixing • 11:30 - 12:30 Break • 12:30 - 13:00 Fixing • 13:00 - 13:30 Presenting Schedule
- 7. © Ibuildings 2014/2015 - All rights reserved Setup
- 8. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • VirtualBox • Vagrant • https://github.com/ibuildingsnl/insecured7 InsecureD7
- 9. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova • Shared folder • /etc/fstab • Host-only network • Symlink: ln -sf src docroot/profiles/insecured7 Getting the VM up and running
- 10. © Ibuildings 2014/2015 - All rights reserved Theory
- 11. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 12. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more level 1 level 2 level 3 chapter 1 1.1 1.2 1.3 X X X X X X chapter 2 2.1 2.2 2.3 X X X X X X X X
- 13. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Level 0 - Bullshit compliance level (0) • Level 1 - Opportunistic (47) • Level 2 - Standard (136) • Level 3 - Advanced (164) Level up!
- 14. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • V1. Authentication • V2. Session Management • V3. Access Control • V4. Input Validation • V5. Cryptography (at Rest) • V6. Error Handling and Logging • V7. Data Protection ASVS Chapters • V8. Communication Security • V9. HTTP Security • V10. Malicious Controls • V11. Business Logic • V12. Files and Resources • V13. Mobile
- 15. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) An example
- 16. © Ibuildings 2014/2015 - All rights reserved
- 17. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 18. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Content-Security-Policy • X-Frame-Options • X-Content-Type-Options • HTTP Strict Transport Security (HSTS) Security Kit http://ibuildings.nl/blog/2013/03/4-http-security- headers-you-should-always-be-using
- 19. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Adds the 'modules-usages-status' (mus) Drush command. Generate a CSV listing of all modules with their versions and associated usage counts. This can be used as input into security auditing scope. Drupal Security Tool Usage
- 20. © Ibuildings 2014/2015 - All rights reserved Questions?
- 21. © Ibuildings 2014/2015 - All rights reserved Auditting
- 22. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <?php global $requirements; $report = ""; do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement; } while (time() < strtotime('2015-03-19 12:30:00 CET')) auditing.php
- 23. © Ibuildings 2014/2015 - All rights reserved Break
- 24. © Ibuildings 2014/2015 - All rights reserved Fixing
- 25. © Ibuildings 2014/2015 - All rights reserved
- 26. © Ibuildings 2014/2015 - All rights reserved Presenting
- 27. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 5 lucky participants will give a 5 minute presentation on their results from the audit and fixing. Presenting
- 28. © Ibuildings 2014/2015 - All rights reserved The End