Security by Design: An Introduction to Drupal Security
- 1. An Introduction to Drupal Security Security by Design:
- 2. Intros Chris Teitzel @technerdteitzel /in/christeitzel Chris has been working in Drupal for almost 8 years. During that time he has worked on projects spanning the globe in front-end design, e-commerce and security. His passion is for making technology accessible to all skillsets. Founder / CEO Lockr 2
- 3. Intros Luke Probasco Presenter Photo @geetarluke /in/lukeprobasco/ Manages Drupal business for Townsend Security. DrupalCon, Camp, and Summit speaker. Security professional. Music enthusiast. Drupal GM/Townsend Security 3
- 4. Intros Mark Shropshire (shrop) @shrop /in/markshropshire drupal.org Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. He is also the maintainer of the Guardr Drupal security module suite. Mediacurrent Open Source Security Lead 4
- 5. Style Guide Contents Security by design in Drupal Encrypting sensitive data Key management (encryption & API)4 3 2 1 5 Site audit and security best practices Resources to improve security5 Style Guide6 Takeaways
- 6. Security by design in Drupal1
- 8. 8 Compliance, Security, and You ● Data discovery ● PCI DSS, HIPAA, GDPR, etc. ● Hosting and compliance ● See your security team for internal policies and controls Security by Design
- 9. 9 Keep Drupal Secure ● Keep Core and contrib modules up to date ● Use Drupal API ● Use version control ● Use social and enterprise login ● Use secure passwords ● Two factor authentication ● Log and review logs (watchdog and additional contrib) ● Don’t forget about infrastructure security Security by Design
- 10. 10 Security in Custom Modules ● Never trust user input ○ Filter plain text with check_plain() or t() ○ Filter HTML with filter_xss() ● Query properly ○ Do not concatenate values into db_query() ○ Instead use parameterized values %s %d %f %b ● Do not output db values directly (don’t trust user input) ● Protect user input - think before you save Security by Design
- 11. Site audit and security best practices2
- 12. 12 What is an audit? ● Review by someone not on the team ○ (internal or external) ● Review of software systems ● Review of supporting infrastructure ● Review of other related systems Site audit and security best practices
- 13. 13 Performing an audit ● Collect data manually and with tools ○ Analyze the data ○ Prioritize findings ● Eliminate false positives ● Complete usable report(s) Site audit and security best practices
- 14. 14 OWASP Top 10 Most Critical Web Application Security Risks ● Injection ● Weak authentication and session management ● XSS ● Insecure Direct Object References ● Security Misconfiguration ● Sensitive Data Exposure ● Missing Function Level Access Control ● Cross Site Request Forgery ● Using Components with Known Vulnerabilities ● Unvalidated Redirects and Forwards Site audit and security best practices
- 15. 15 Drupal audit tools ● Drupal Core reports ● Site Audit ● Security Review ● Sensitive Data ● Hacked! ● Coder ● Review of site config, users, permissions, and roles ● Manual code review Site audit and security best practices
- 17. 17 Encrypting Data in Drupal ● There is no native way to encrypt data in Drupal ● Compliance and risk management drive encryption ● Use encryption based on industry standards ● Use cryptographically strong keys - no passwords! ● See NIST Special Publication 800-57 for more info Encrypting Sensitive Data
- 18. 18 What Encryption Should I Use? ● Use AES, RSA, Triple DES, or other standard methods ● Beware of non-standard encryption ● Example: Homomorphic Encryption ○ Has not received wide review and acceptance ○ Cannot be certified by a standards body ○ Cannot achieve FIPS 140-2 validation ○ Compliance regulations prohibit its use Encrypting Sensitive Data
- 19. Key management (encryption & API)4
- 20. 20 McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. BankInfoSecurity.com Key Management
- 21. 21 Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US... Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin.com Key Management
- 22. 22 Payment Gateways Email Marketing SMTP Relays Authentication Shipping Cloud Providers Encryption APIs Key Management
- 23. Resources to improve security5
- 24. 24 Encryption Modules ● Encrypt ● FieldEncrypt ● Real AES ● Encrypt User ● Encrypted Files ● Webform Encrypt Resources to Improve Security
- 25. 25 Key Management Modules ● Key ● Townsend Security Key Connection ● Lockr Resources to Improve Security
- 26. 26 Guardr Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. https://drupal.org/project/guardr Resources to Improve Security
- 27. Takeaways6