secure drupal development
play

Secure Drupal Development Steven Van den Hout Steven Van - PowerPoint PPT Presentation

Feb 04, 2024 •114 likes •641 views

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

  1. Secure ¡Drupal ¡Development ¡ Steven ¡Van ¡den ¡Hout ¡

  2. Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout

  3. SECURE? 1 IS D DRUPAL AL S

  4. IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open code does not make it easier for hackers - Open Source makes people look at it - Popularity gets more eyes and more peer-reviews • Bad open-source software as bad • as bad private software.

  5. OWASP VULNERABILITIES - Injection - Cross Site Scripting - XSS - Broken Authentication and Session Management - Cross Site Request Forgery - CSRF - Security Misconfguration - Failure to Restrict URL Access ¡ - Access bypas

  6. REPORTED VULNERABILITIES

  7. IS DRUPAL SECURE? - Safe by design (Core and API) - Security Team - Highly organised - Documented process for Security Advisories and Updates - Thousands of maintainers, users and experts - Support: Drupal 6/7, Core & Contributed Modules

  8. RE 2 KEEP Y YOUR DRUPAL AL W WEBSITE SE SECU CURE

  9. SECURITY IS A PROCESS NOT AN EVENT

  10. A DRUPAL SECURITY RELEASE • FROM REPORTED ISSUE TO SECURITY UPDATE

  13. PRIVATE DISCLOSURE YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE

  14. UPDATES ¡ Always stay up to date - Keep up with latest security releases Update Work fl ow - Hacked module + di ff - Drush up

  15. UPDATE MANAGER KNOW WHEN AN UPDATE IS NEEDED

  16. STATUS MONITORING INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE Tools - Droptor.com (https://drupal.org/project/droptor) - Acquia Insight (https://drupal.org/project/ acquia_connector) - Nagios (https://drupal.org/project/nagios) - Drupalmonitor.com (https://drupal.org/project/ drupalmonitor) - …

  18. WEBSITE 3 BUILD A S A SECURE D DRUPAL AL W

  19. CONTRIBUTED MODULES

  20. CONTRIBUTED MODULES Quality assurance - Usage - Number of open issues - Closed/Open ratio Response time - ¡ Good quality usually means good security ¡ ¡ Manual code reviews for less used modules ¡ ¡ ¡

  21. UPDATES ¡ Always stay up to date - Keep up with latest security releases Update Work fl ow - Hacked module + di ff - Drush up

  22. PATCHES ¡ Contrib patches ¡ Read the entire issue ¡ ¡ Commit custom patches ¡ Help out ¡ Feedback from other users (maintainers) ¡ Patch might get commited ¡ ¡ ¡ Patch management ¡ Move module to patched ¡ Create a patches.txt ¡ Keep patches ¡ ¡ ¡

  23. CUSTOM MODULES

  24. SECURITY PYRAMID ¡ Theme ¡ ¡ ¡ ¡ DB API ¡ Form API ¡ Menu & Node Access ¡

  25. HAC ACKS AN AND H HOW T TO P O PREVENT T THEM

  26. SQL INJECTION ¡ h4p://xkcd.com/327/ ¡ "SELECT * FROM user WHERE name = '$name'" ¡ ¡ "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'" ¡ ¡ ¡

  27. SQL INJECTION ¡ Placeholders ¡ ¡ ¡ db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user); ¡ ¡ ¡ Dynamic Queries ¡ ¡ ¡ ¡ $query = db_select('user', 'u') ¡ -> fi elds('u') ¡ ->where('name', $user) ¡ ->execute(); ¡

  28. XSS (cross site scripting) ¡ EXECUTING ABRITRARY JAVASCRIPT CODE ON THE PAGE

  29. XSS (cross site scripting) ¡ User Input ¡ ¡ ¡ Title ¡ Body ¡ Log message ¡ Url ¡ Post ¡ User-Agent ¡ Headers ¡ ¡ ¡

  30. XSS (cross site scripting) ¡ Validate forms ¡ ¡ ¡ User input should never contain javascript ¡ ¡ ¡ Form api ¡ ¡ ¡ ¡ Never use $_POST variables ¡ $form_state['values'] ¡ ¡ Form caching ¡

  31. XSS (cross site scripting) ¡ Input formats ¡ Filter Functions ¡ check_url() ¡ Never use full_html ¡ ¡ ¡ ¡ check_plain() ¡ ¡ ¡ ¡ check_markup() ¡ ¡ fi lter_xss() ¡

  32. XSS (cross site scripting) ¡ h4p://drupalscout.com/knowledge-­‑base/drupal-­‑text-­‑filtering-­‑cheat-­‑sheet-­‑drupal-­‑6 ¡

  33. XSS (cross site scripting) ¡ Functions ¡ ¡ ¡ ¡ t() ¡ @var => plain text ¡ ¡ %var => plain text ¡ !var => full html! ¡ l() drupal_set_title() ¡ ¡ ¡

  34. CSRF (cross site request forgery) ¡ Taking action without con fi rming intent ¡ ¡ ¡ <a href=”/delete/user/1”>Delete user 1</a> ¡ ¡ ¡ Image Tag ¡ ¡ ¡ ¡ <img src=”/delete/user/1”> ¡ A hacker posts a comment to the administrator. ¡ When the administrator views the image, user 1 gets deleted ¡ ¡ ¡

  35. CSRF (cross site request forgery) ¡ Token (aka Nonce) ¡ ¡ ¡

  36. ACCESS BYPASS ¡ VIEW CONTENT A USER IS NOT SUPPOSED TO

  37. ACCESS BYPASS ¡ View content a user is not supposed to ¡ ¡ ¡ $query = db_select('node', 'n')-> fi elds('n'); ¡ Also shows nodes that user doesn't have acces to ¡ ¡ ¡ $query->addTag('node_access') ¡ ¡ ¡ ¡ Rewrite the query based on the node_access table ¡

  38. ACCESS BYPASS ¡ Bad custom caching ¡ ¡ ¡ Administrator visits a block listing nodes. ¡ The block gets cached ¡ ¡ The cached block with all nodes is shown to the anonymous user ¡ ¡ Add role id to custom caching ¡

  39. ACCESS BYPASS ¡ Rabbit_hole module ¡ ¡ ¡ Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Page manager can do the same. ¡ Field access ¡ ¡ ¡ $form['#access'] = custom_access_callback(); ¡ ¡ Menu access ¡ ¡ ¡ ¡ $item['access callback'] = 'custom_access_callback', ¡

  40. CORRECT USE OF API ¡ Form API ¡ Validation Form state Drupal_valid_token ¡ ¡ DB API ¡ db_select, db_insert, placeholders ¡ $query->addTag(‘node_access’); ¡ ¡ ¡ Filter ¡ check_url, check_plain, check_markup, fi lter_xss, … ¡ t(), l(), drupal_set_title(), … ¡ ¡ ¡

  41. THEMES

  42. THEMES ¡ Themer not responsible ¡ ¡ ¡ Preprocess functions ¡ ¡ ¡

  43. CONFIGURATION

  44. PERMISSIONS ¡ Permission management ¡ ¡ ¡ If Joe from advertising can give the full html fi lter format to anonymous user, don't bother to think about security ¡ ¡ ¡ Split up permissions ¡ ¡ ¡ The default permissions don't cover every use case ¡ ¡ ¡

  45. PERMISSIONS ¡

  46. FILTER FORMATS ¡ Never use full_html ¡ Never use php fi lter ¡ ¡ ¡ Use a custom module for code ¡ ¡ ¡ Use fi ltered_html instead. ¡ Versioning ¡ ¡ Bad performance (eval) ¡ ¡ ¡ ¡

  47. CHECKLIST

  48. CHECKLIST ¡ Never use ¡ Permissions ¡ ¡ Trusted users only full_html ¡ Split up permissions Php fi lter ¡ ¡ ¡ ¡ ¡ API ¡ ¡ ¡ Preprocess functions ¡ check_plain, fi lter_xss ¡ DB API ¡ Form API ¡ Tokens ¡ Menu/Node Access ¡

  49. GREAT ¡ HOW ABOUT DRUPAL 8?

  50. FURTHER READING

  51. FURTHER READING ¡ Books ¡ Cracking Drupal !! ¡ Pro Drupal Development Online ¡ https://drupal.org/writing-secure-code ¡ https://drupal.org/node/360052 ¡ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html ¡ http://drupalscout.com/knowledge-base ¡ Video ¡ How to avoid All your base are belong to us (drupalcon Denver) ¡ ¡ ¡

Recommend

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama Currently: Manager, Web Development @ Highlights for Children Yes Were Hiring! Started with Drupal in 2007 (Drupal 5.2) Past Roles: Owned a small

546 views • 31 slides
The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open Source Security Lead Mark brings 20 years of experience leading technical teams to his role as Mediacurrents Open Source Security Lead. He is a

594 views • 38 slides
Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices flowing, and help give a broad overview of Drupal jargon, Drupal Architecture &amp; the Drupal Community... May 21st, 2010 - SNHU, Manchester, NH

1.12k views • 52 slides
THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH GHOSTS AND GHERKINS USING CASPERJS AND BEHAT TO TEST DRUPAL SITES Saturday, February 2, 13 STEVEN MERRILL Director of Engineering

1.54k views • 63 slides
Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and Cons) Examples of what Drupal can do How to download and install Drupal How to use Drupals user interface What is Drupal? Drupal

319 views • 18 slides
FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About

FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About

FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About my experience in Drupal development Development Project management Drupal audit Drupal Localization Mikhail Kraynuk Drupal

625 views • 21 slides
Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development - http://bit.ly/d8-esa About me Francesco Placella, plach on drupal.org, from Venice, Italy Senior Performance Engineer at Tag1 Consulting Working with Drupal

633 views • 39 slides
Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson DrupalCamp Florida March 2016 Drupal Drupal Drupal Drupal Drupal Drupal Drupal User Stories Demo Site Drupal 8 core Bootstrap subtheme

537 views • 24 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL

Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL

Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL paolo.ottolino (at) isc2chapter-italy.it May XX, 2016 Agenda Web 2.0 &amp; CMS CMS Cyber Risk Drupal Security Agenda Web 2.0 &amp; CMS Needs,

286 views • 26 slides
DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal Camp 2014 | Orlando, Florida DRUPAL [ REMOTELY ] WHATS ON THE MENU TODAY? Working Remotely Challenges Finding Remote Employment [

578 views • 19 slides
Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time

Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time

Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time About Dan Harris Founder Webdrips.com Drupal-based web design and development shop Founded in July, 2011. Nine years Drupal experience

1.08k views • 38 slides
2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin drupal.org/u/pwolanin Track: Core Conversations events.drupal.org/dublin2016/sessions/routing-drupal-9-and-lessons-learned-drupal-8 This is a Conversation If I get

631 views • 23 slides
Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December

Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December

Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December 12, 11 1 First, Why Open Source? No vendor lock-in (own your data) Extensibility: a voice in future development Benefit from the Community,

399 views • 28 slides
Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting Drupals default behavior simply provide a guide for your design. Drupal for Designers by Dani Nordin http://my.safaribooksonline.com

736 views • 26 slides
Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal

Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal

Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal Benefits of our Adaptation 2 Who am I Platform Architect / Technical Manager Works in Web / Mobile Application Development, with

573 views • 10 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank Hello My Name Is Frank I am a Christian, Father, and Technology Enthusiast. Online my name is frob (IRC, d.o, github) On Twitter I am @frobdfas My Blog

616 views • 44 slides
Security In Drupal By Snehamay &amp; Monoj Implement Basic Securities : Use - Most updated

Security In Drupal By Snehamay &amp; Monoj Implement Basic Securities : Use - Most updated

Security In Drupal By Snehamay &amp; Monoj Implement Basic Securities : Use - Most updated module versions - Secure communication like SSH, sFTP, FTPS, and HTTPS - Strong Case sensitive Passwords - Secure communication like SSH, sFTP, FTPS,

473 views • 24 slides
15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk?

15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk?

Stanford Drupal Camp 15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk? End of dpm() Kint complaints Rumors of a better way Audience D7 front-enders New to Drupal Current D8 devs

1.41k views • 48 slides
How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me

How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me

Birds, bees and monster fish: How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me Drupal dev in Technocrat Australia Drupal ID: rli Public sector Twitter: rujiali Module maintainer My

614 views • 30 slides
Taking Drupal development to the Cloud Karel Bemelmans About me Working with Internet based

Taking Drupal development to the Cloud Karel Bemelmans About me Working with Internet based

Taking Drupal development to the Cloud Karel Bemelmans About me Working with Internet based services since 1996 Working with Drupal since 2011 Currently the devops guy @ Nascom Case Study: Nascom Genk, Belgium Service

867 views • 38 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable,

What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable,

What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable, low cost, high value solution to manage and grow an internet presence. ~cmswebsiteservices.com About Seth - Who is this guy? Seth Cohn Drupal

671 views • 53 slides
DRUPAL TO DRUPAL MIGRATIONS, DECONSTRUCTED DrupalCamp Chattanooga June 16, 2018 About Promet

DRUPAL TO DRUPAL MIGRATIONS, DECONSTRUCTED DrupalCamp Chattanooga June 16, 2018 About Promet

DRUPAL TO DRUPAL MIGRATIONS, DECONSTRUCTED DrupalCamp Chattanooga June 16, 2018 About Promet Source Founded in 2003, Promet Source Promet realigned its core services With headquarters in Chicago and is a web design and development and

881 views • 29 slides

More recommend