Understanding Organizational Traps in Implementing Service ...
Understanding and implementing website security
-
Upload
drew-gorton -
Category
Internet
-
view
121 -
download
0
Transcript of Understanding and implementing website security
![Page 1: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/1.jpg)
Understanding and Implementing Website Security
![Page 2: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/2.jpg)
Pantheon.io
Hi, I’m Drew Gorton
● Director of Agency and Community
Outreach, Pantheon
● Founder, Gorton Studios (2001)
● Co-founder, NodeSquirrel (2012)
● Drupal 4.4 (~2004)
● Drupal Twin Cities
● @dgorton
![Page 3: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/3.jpg)
Web CMS is RiskyThe Elephant in the Room
● Web Content Management is
inherently dangerous
● Connected to the internet
● Edited via the internet
3
![Page 4: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/4.jpg)
Data BreachesHave Become Commonplace
4
● http://www.informationisbeautif
ul.net/visualizations/worlds-big
gest-data-breaches-hacks/
●
![Page 5: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/5.jpg)
I’m So Tiny!Surely not me?
● You are a target
● You have:� Computing power
� Access to nearby systems
� Visitors with vulnerable browsers
� Information
� PII? Transactions? Donations?
● Robots don’t care
5
![Page 6: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/6.jpg)
Website SecurityIs Not Binary
● Not On or Off
● “Is my website secure?” not a Yes / No question
6https://flic.kr/p/h4TA84
![Page 7: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/7.jpg)
Website SecurityLessons from the Real World
Safe Ratings
● Time (5 mins, 30 mins, …)
● Tools (hammer, drill, power, …)
● People (skill, number, …)
7https://flic.kr/p/5GPgE1
![Page 8: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/8.jpg)
Website SecurityIs a Continuum
● Perfect security is a myth
● There will always be gaps
● Be prepared
8
![Page 9: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/9.jpg)
Today’s GoalsOur Agenda
● Understand Landscape
● Have Fewer, Smaller Gaps
● Better Preparedness
● Looking at Layers of Security
9https://flic.kr/p/5d4nKx
![Page 10: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/10.jpg)
Our LayersDrupal is Just One Piece ● Platform
� Linux, Apache, MySQL, PHP …
● Application
� Drupal, WordPress…
● Organizational
� Habits, procedures, planning…
10https://flic.kr/p/dp3nGo
![Page 11: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/11.jpg)
Platform LayerThe Stack Drupal Uses
● Linux
● Apache / NGINX
● MySQL / MariaDB
● PHP
● Varnish
● Memcached / Redis
● Solr
● …
● http://www.linuxsecurity.com
11https://flic.kr/p/mmgwkx
![Page 12: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/12.jpg)
You Do Not Want This Monkey*
12https://flic.kr/p/p8z6wN
![Page 13: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/13.jpg)
Use Drupal Hosting
13
https://www.drupal.org/hosting
![Page 14: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/14.jpg)
Buyer Beware
14
Not All Hosting Is Equal
![Page 15: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/15.jpg)
Traditional Hosting
15
Even Messier in the Real World
![Page 16: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/16.jpg)
Platform Security
16
There is a Better Way
![Page 17: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/17.jpg)
17
How did you handle Heartbleed?
How did you handle DrupalGeddon?
Choose Hosts Wisely
![Page 18: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/18.jpg)
Application LayerSecurity in Drupal
● Configuration
● Modules
● Security Team and Procedures
● Coding Best Practices
18https://flic.kr/p/9Vx4ra
![Page 19: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/19.jpg)
FlexibilityDrupal’s Great Strength and Weakness
● (Mis) Configuration
● True or False?
● You can configure Drupal so that
Anonymous Users can ____
� Upload images
� Change files
� Edit the homepage
� Turn on modules
� Change themes
19https://flic.kr/p/nze5Em
![Page 20: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/20.jpg)
Secure ConfigurationThe Most Important Thing You Can Do
● Secure User 1� No simple passwords� Don’t share passwords across sites� Doesn’t have to be ‘admin’
● Permissions & Roles� Administer * is powerful� Administer filters can pwn site
● No PHP (!!!)● Update module
� Wednesdays are security releases� Turn it on. Get the notifications. Do
them
20https://flic.kr/p/5pGcyx
![Page 21: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/21.jpg)
Drupal ModulesImproving Security with Contrib ● Password Policy and Password Strength
● Security Review
● Security Kit (Seckit)
● Hacked!
● Paranoia
● Permissions Lock
● Login Security
● Automated Logout
● Two Factor Authentication
21https://flic.kr/p/5d4nKx
![Page 22: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/22.jpg)
Security TeamOur Fearless Defenders
● Drupal 7 & 8 Core + Contrib
● Wednesdays are releases
● Process & Procedure
● Drupal 6 coverage available
22https://flic.kr/p/5d4nKx
![Page 23: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/23.jpg)
Secure CodingBest Practices
● Writing Secure Code (Drupal.org)
● Cracking Drupal - OWASP 10
and Drupal
● SQL Injection
● XSS
● CRSF
23https://flic.kr/p/3dvqhG
![Page 24: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/24.jpg)
SQL Injection
24
As Illustrated by XKCD
db_query()
https://www.drupal.org/node/101496
http://xkcd.com/327/
![Page 25: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/25.jpg)
Secure CodingBest Practices
● JavaScript to run browser actions
● Up to 64% of websites vulnerable
● Everything you can do, XSS can do
better
● Use Filters! check_url(),
check_plain(), filter_xss(),
filter_xss_admin(), check_markup()
● t() function
● https://www.drupal.org/node/2898
4
25https://flic.kr/p/5ALBHy
![Page 26: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/26.jpg)
Secure CodingBest Practices
● Actions on another site
● <a
href="http://bank.com/
xfer.do?acct=123&amt=10000
">View my Pictures!</a>
● Forms API , drupal_get_token(),
drupal_valid_token()
● https://www.drupal.org/node/1788
96
26https://flic.kr/p/bSkp8r
![Page 27: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/27.jpg)
Organization LayerSecure Processes
● Safe Network Usage
● Secure Code Management
● Secure Support
27https://flic.kr/p/5kaEda
![Page 28: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/28.jpg)
Secure NetworkingBuild Good Habits
● HTTPS / SSL
� LetsEncrypt.org
� CloudFlare
� Others
● SFTP (No FTP!)
● Wireless Caution
28https://flic.kr/p/6v1J1m
![Page 29: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/29.jpg)
Secure Code ManagementTake care of your code
● Use Version Control Software (VCS)
like Git
● Sanitize Data on transfer -
drushcommands.com/drush-8x/sql
/sql-sanitize
● Secure your Keys - https://lockr.io
29https://flic.kr/p/9BkXKV
![Page 30: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/30.jpg)
Secure SupportTake care of your clients
● Catalog your sites
● Wednesdays - be ready
● Who is responsible?
● Who helps them?
● How do they escalate?
● Emergency Procedures
● Run the drill!
30https://flic.kr/p/rEwbwL
![Page 31: Understanding and implementing website security](https://reader033.fdocuments.net/reader033/viewer/2022051523/58addf3f1a28abeb2e8b4773/html5/thumbnails/31.jpg)
31
● Use a secure (reliable, performant) Drupal host
● Configure Drupal carefully
● Use Security-enhancing Drupal modules
● Follow Drupal coding best practices
● Use secure communications (HTTPS, SFTP, …)
● Have secure code management habits
● Have clear support practices and procedures
In Summary