Mnescot cms security
-
Upload
mnescot -
Category
Technology
-
view
263 -
download
2
Transcript of Mnescot cms security
Start
Establishing IT Security Credibility
& Expertise
CMS Security and Federal IT
Requirements: Drupal vs. The Field
Mike Nescot, JBS International
MS, MHA, CISSP, PMP, MCTS, Security+;Author: Professional Cyber-Tunneling and Cross-Dressing (Rocks Press);
Platinum Diamond
Uber Status
But seriously…
CMS Security and Federal IT Requirements: Drupal vs. The Field
Mike Nescot, JBS International
http://drupal.jbsinternational.com
Marketing Drupal
CMS Security: Expanding Complexity
CMS Security: Expanding Complexity
Comparison
• Drupal (http://drupal.org)• Joomla (http://joomla.org)• WordPress (http://wordpress.org)• Liferay (http://liferay.org)• SharePoint (http://sharepoint.org)
Comparison Points
• Code Repository• API Security• Security Management Model• Security Controls and Tools: FISMA
Repository
• Drupal: Open Source, GIT, drupal.org• Joomla: Open Source, GIT, GitHub• Word Press: Open Source, git mirror
of SVN on wordpress.org• SharePoint: Closed source, ?, TFS• Liferay: Open source community
edition, GIT, GitHub
FreeBSD Compromise
vs.
Linux Kernel.org Compromise
API• Drupal: PHP, Procedural hook system >
modularity: PSR2/Symfony• Joomla: PHP, design patterns-based, OO,
MVC• WordPress: PHP, hook system (actions &
filters) • SharePoint: #NET, server and client object
model > app model & REST• Liferay: Java, JVM, internal and external api,
portet, MVC portlet, JSF
API Security
• Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig
• Joomla: Filters (JRequest, JFactory::getDBO())• WordPress: Filters (wp_filter_kses(),$wbdp)• Liferay: Security Manager: Portal Access Control List
(PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity
• SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
• Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation
• Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal
• Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS
• SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow
• Liferay (3): access bypass, XSS, DoS, directory traversal
Vulnerabilities: NVD (3 years: high/medium)
WordPress Plugin Vulnerabilities• http://www.eweek.com/security/popular-
wordpress-plugins-vulnerable-to-attack-checkmarx-research/
Security Mangement• Drupal: Security Team: Resolve issues, assist
module maintainers, documentation, responsible disclosure, secure coding guide, full project review
• Joomla: Joomla Security Team: vulnerable extension list, secure coding guide
• WordPress: laissez-faire, data validation guide• SharePoint: Service packs, app review• Liferay: Security team (focused on core), open
app marketplace
Open Source Community & Competition
• Drupal and WordPress• Ease of Use vs. Power• Good Enough, Means to an End• Object-Oriented = Harder to Use• Risk Management Trade-Offs
Security Tools & Controls (FISMA)
• Roles & Permissions (Access Controls)• Federated Identity & Multi-Factor
Authentication • Vulnerability Assessment• Hardening • Continuous Monitoring• Hosting Platform & Environment
Roles & Permissions
• Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB)
• Joomla: Frontend & backend groups, administration area
• WordPress: Roles and capabilities, admin area• SharePoint: SharePoint groups and roles,
mapped to AD groups, site collection admins, elevated privileges
• Liferay: Granular system built on JSR-286
Federated Identity & Multi-Factor Authentication
• Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV
• Joomla: OpenID, Oauth, SAML, yubikey, smartcards
• Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo
• Sharepoint: AD, LDAP, AD LDS, ADFS, claims-based identity, membership provider (AD)
• Liferay: SSO (LDAP, OpenAM), OpenID
Vulnerability Assessment
• Drupal: security review, coder/secure code review, dpscan
• Joomla: Joomla OWASP scanner• WordPress: WP Security Scan• SharePoint: SharePoint Security
Scanner• Liferay: Standard tools
Hardening
• Drupal: Hardened Drupal, Guardr• Joomla: jHackGuard• WordPress: Integrated security plugins(Better
WPSecurity, BulletProof Security), Secure WordPress
• SharePoint: Secure installation: Kerberos• Liferay: Manual config guide• All: Environment-specific controls
Continuous Monitoring
• Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash
• Joomla: Jlog > syslog, commercial monitoring
• WordPress: Integrated packages, commercial monitoring
• SharePoint: Microsoft System Center, commercial packages
• Liferay: Audit EE: DB or log4j > syslog
Hosting Platform & Environment
• Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3
• Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3
• WordPress: LAMP: PHP 5.2, MySQL• SharePoint: Windows, IIS,SQL Server, Office 365
(FISMA cert), Azure, AWS, Rackspace• Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic
JDBC(MySQL/Postgres)• Everything: > cloud (AWS,
OpenStack,FedRamp),private cloud, SLA
D.Org Security Incident
• Drupal.org compromised• Sophisticated DevOps Mgt• Third-party software breached:
undisclosed
With Drupal, You Never Walk Alone
You Never Walk Alone With Drupal
Security Ninja
Security Rockstar
Platinum Diamond
Uber Status