how open source helps you prevent the next drupalgeddon
play

How open source helps you prevent the next Drupalgeddon the best - PowerPoint PPT Presentation

Jan 06, 2024 •132 likes •866 views

How open source helps you prevent the next Drupalgeddon the best marketing for this talk was SA-CORE-2018-003 and SA-CORE-2018-004 Drupal Hack Camp 2018 Bastian Widmer - @dasrecht | @amazeeio Bun seara! Bun seara! We will talk about:

  1. How open source helps you prevent the next Drupalgeddon the best marketing for this talk was SA-CORE-2018-003 and SA-CORE-2018-004 Drupal Hack Camp 2018 Bastian Widmer - @dasrecht | @amazeeio

  2. Bun ă seara!

  3. Bun ă seara!

  4. We will talk about: basics, containers, open source, crypto currencies, attacks and the future

  5. • System Engineer at amazee.io $> whoami bastian • Containers in Production 👼 🤗 • Zurich, Switzerland • English, German, Swiss-German and a bit of French • @dasrecht • Too many side projects!* • TEDxBern • DevOpsDays Zurich • CommunityRack.org • Running TOR nodes for fun • Working with real containers * this list is not complete!

  6. $> whoami bastian ● System Engineer at amazee.io ● Located: Zurich, Switzerland ● Twitter: @dasrecht ● Too many sideprojects! ○ DevOpsDays Zurich ○ CommunityRack.org ○ Running Tor Exit nodes for fun ○ Working with Real Containers

  7. ● System Engineer at amazee.io ● Located: Zurich, Switzerland ● Twitter: @dasrecht ● Too many sideprojects! ○ DevOpsDays Zurich ○ CommunityRack.org ○ Running Tor Exit nodes for fun ○ Working with Real Containers

  8. amazee.io • Fully Open Sourced Hosting Platform for Drupal Web Projects • Hosting since 8 years • We’re a remote team of 7 • Zurich, Switzerland • Barcelona, Spain • Austin, TX • Portland, OR • Melbourne • Hosting in 16 different countries

  9. There are two types of companies: those that have been hacked, and those who don't know they have been hacked. — John T. Chambers

  10. Is open source better compared to closed source?

  11. Opensource ● Auditable by everyone ● The power of many eyes ● Fixes can be found by a bigger team

  12. Closed Source ● You don’t know how sustainable a patch is implemented ● you need to trust the vendor completely ● e.g. Microsofts Edge Browser misses to patch a vulnerability after 90 days and 2 weeks

  13. That said… ● No evidence that Open source performs better than Closed source ● Transparency of open source is still better ● Nothing is inherently secure ● Heartbleed, Poodle. Shellshock ● CVE-2008-4250 Sasser/Conficker patches were not applied for a long time

  14. Basics: Security Levels

  15. Security Levels • scores between 0 and 4 are considered Not Critical • 5 to 9 is considered Less Critical • 10 to 14 is considered Moderately Critical • 15 to 19 is considered Critical • 20 to 25 is considered Highly Critical https://www.drupal.org/drupal-security-team/security-risk-levels-defined

  16. Risk Metrics • Access Complexity (AC) • Authentication (A) • Confidentiality Impact (CI) • Integrity Impact (II) • Exploit (Zero Day Impact) (E) • Target Distribution (TD)

  17. Basics: Drupal Security Process

  18. How do you feel on Wednesday evenings?

  19. Drupal Security Process ● Releases every Wednesday ● Public Service Announcements (PSA) for high security levels

  20. Drupal Security Process ● Issues are reported to the security team via a hidden issue queue ● If the problem is valid the security team mobilises the maintainer to fix the issue ● New versions are created, reviewed and tested ● New release is created on drupal.org ● Communication channels are used to inform users about the upgrade steps to protect themselves ● If the maintainer fails to fix the issue within the deadline an advisory is issued to disable the module and the module is marked as unsupported.

  21. Disclosure policy ● Coordinated Disclosure policy ● issues are private until there is a fix OR ● until it becomes apparent that the maintainer is not addressing the issue in time ● Public announcements are made after the threat is addressed and a secure version is available ● The same goes for issue reporters

  22. Back in the day™

  23. Back in the day™ aka 2014

  24. DrupalGeddon 1.0

  25. DrupalGeddon 1.0

  26. 25/25 ? SHIT! 25/25 ? SHIT! 25/25 ? SHIT!

  27. Drupalgeddon 1.0 - SA-CORE-2014-005 ● SQL Injection ● Score 25/25 ● 7 Hours from release till attacks were rolling in ● Defacements, Backdoors, Mass Mailing https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql

  28. DrupalGeddon 2.x

  29. The good news first!

  30. The good news first: You are not important anymore!

  31. The good news first: You are not important anymore! Your Infrastructure is!

  32. The bad news?

  33. The bad news: You don’t get 7 hours anymore

  34. Drupalgeddon 2.0 - SA-CORE-2018-002/004 ● Non sanitised values ● Score 24/25 / and 20/25 ● several hours after exploit was in the wild

  35. Timeline ● SA-CORE-2018-002 released March, 28 2018 ● Exploit in the wild: April 12, 2018 ● Currently 2000-5000 attempts per day overall ● Other players mitigating over 500’000 attempts per day ● SA-CORE-2018-004 released April, 25 2018

  36. What kind of attacks? ● Nothing „too visible“ for the end user ● Full Stack attack - The user and your server ● Cryptominer JS Inclusions ● Cryptominers on the Server (Cryptojacking) ● Stealing your useraccounts/mail addresses ● Data breaches (GDPR/DSGVO!)

  37. ● https://twitter.com/Schnitzel/status/984875838410813440 ● https://gist.github.com/Schnitzel/684519cbf268481ac3f9d8cee249efeb

  38. Security is a process not a state

  39. What layers of security do can we deploy? ● Regular Updates ● Drupal Modules ● Web Application Firewall (WAF) ● Hoster / Infrastructure ● Code-level ● Your own measures

  40. Regular Updates

  41. Regular Updates ● Update every week ● at least: Security Related (situative awareness) ● It’s a product - Sell it to your customers ● Unpatched CMS can lead to leaks like: ● Panama Papers - 2.6 TB worth of Data leaked ● Equifax Leak 143 million affected users

  43. BUT I HAVE 100+ SITES!?

  44. Yes! And you’re not competing against humans. You are competing against robots!

  45. Security isn’t a sprint anymore. It’s a marathon (that never ends)

  46. Regular Updates ● Automate, Automate, Automate ● DIY - Works but it’s a lot of work ● There should be a fasttrack (just patch and go!) ● Use a „appropriate“ Development workflow: Source Control, Composer ● Dropguard - https://www.drop-guard.net/ ● Lumtrio - https://lumturio.com/

  47. Helpful Drupal Modules

  48. Drupal Modules - Site Audit Site Audit is a Drupal static site analysis platform that generates reports with actionable best practice recommendations. https://www.drupal.org/project/ site_audit

  49. Drupal Modules - Hacked! This module scans the currently installed Drupal, contributed modules and themes, re- downloads them and determines if they have been changed. https://www.drupal.org/project/ hacked

  50. Drupal Modules - Security Review The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure. https://www.drupal.org/project/ security_review

  51. Drupal Modules - Paranoia The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site. https://www.drupal.org/project/paranoia

  52. Web Application Firewall (WAF)

  53. Web application firewall (WAF) ● Mod Security (Nginx / Apache) ● Cloudflare (needs Pro Plan) ● Fastly WAF (limited availability release) ● AWS WAF & Trusted Rulesets (F5, Trend Micro, Fortinet) ● Web Application Firewalls only buy you time!

  54. Web application firewall (WAF)

  55. Hosting / Infrastructure

  56. Hosting / Infrastructure ● Many providers put mitigations in place to safeguard customers and infrastructure ● Speed is everything! ● Drupalgeddon 2.0 most of the bigger providers implemented infrastructure level mitigations within an hour after the Security release ● This still does not mean that you won’t need to patch your site

  57. Hosting / Infrastructure ● Environment variables make it easy to rollover the remaining secrets ● Hardening on webserver level - i.e. only allow index.php requests. ● and whitelist where necessary ● Containers / Don’t have any changeable code deployed ● DockerHub Security Scanning https://blog.docker.com/2016/05/docker-security- scanning/

  58. Code-level

  59. Code-level ● Remove inactive modules - Less attack surface ● Github Security Scans ● Composer Security Scan (https://security.sensiolabs.org/check)

  60. Code-level

  61. Code-level

  62. Your own measures

  63. Your own ● Don’t use passwords for server logins - SSH Keys all the way ● Use Single-Sign-On Services if possible ● Use 2 Factor Authentication ● Restrict login to a certain set of IP addresses (Module: Restrict IP) 
 https://www.drupal.org/project/restrict_ip

  64. FUTURE FUTURE FUTURE

  65. Future ● Automatic Updates Initiative 
 https://www.drupal.org/project/ideas/issues/2940731 ● Self-Patching Infrastructure (i.e. DockerHub) ● It’s a topic that concerns not just Drupal

  66. Conclusion

  67. The fear of the 0 day exploit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Open Source tool helps a global community of professionals

An Open Source tool helps a global community of professionals

An Open Source tool helps a global community of professionals shift from traditional contacts and annual meetings to continuous interaction on the web

505 views • 37 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
Yocto for PELUX 2018-03-29 1 The Yocto Project The Yocto Project is an open source

Yocto for PELUX 2018-03-29 1 The Yocto Project The Yocto Project is an open source

Yocto for PELUX 2018-03-29 1 The Yocto Project The Yocto Project is an open source collaboration project that helps developers create custom Linux- based systems for embedded products, regardless of the hardware architecture.

657 views • 23 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source Software Amazing times for Open Source Software! Commercial Success Fantastic Success of Open Source Based Businesses! RedHat Acquired by IBM

1.19k views • 52 slides
Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric Promislow ActiveState Software Inc. OpenKomodo: Own Your IDE Copenhagen, Denmark April 2, 2008 1 History Perl for Windows Active Python,

820 views • 65 slides
Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview Open Source hardware (This is the smallest font) Business model Example circuit, concept -> production Make circuit boards with Open

806 views • 78 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
< Web Development /> Presented by Table of Contents 1. The World Wide Web 2. HTML 3. CSS

< Web Development /> Presented by Table of Contents 1. The World Wide Web 2. HTML 3. CSS

< Web Development /> Presented by Table of Contents 1. The World Wide Web 2. HTML 3. CSS 4. JavaScript DOM AJAX 5. Bootstrap, JQuery, and CDNs 6. Web Development Stacks 7. Fun Projects Introduction to the WWW WWW

892 views • 47 slides
High Availability High Performance How to sleep without the server-crash-fear Michael Schmid

High Availability High Performance How to sleep without the server-crash-fear Michael Schmid

High Availability High Performance How to sleep without the server-crash-fear Michael Schmid michael@amazeelabs.com @schnitzel High Availability no Single Point of Failure Redundancy High Performance Response times

558 views • 44 slides
FICOP (1983) Boris Vyturin Jerry Brown Jewgeni Singer Igor Zotikov 1988 Barentsburg 1998

FICOP (1983) Boris Vyturin Jerry Brown Jewgeni Singer Igor Zotikov 1988 Barentsburg 1998

FICOP (1983) Boris Vyturin Jerry Brown Jewgeni Singer Igor Zotikov 1988 Barentsburg 1998 Excursion 1983 Excursion 2003 Zurich Pre-Conference

658 views • 17 slides
Overview of LC Physics and Detector Requirements Satoru Yamashita (ICEPP, Univ. of Tokyo) Nov.

Overview of LC Physics and Detector Requirements Satoru Yamashita (ICEPP, Univ. of Tokyo) Nov.

Overview of LC Physics and Detector Requirements Satoru Yamashita (ICEPP, Univ. of Tokyo) Nov. 9, 2004, ACFA LCWS@Taipei Many materials from ACFA LC report (2001) TESLA TDR (2001) LC physics resource book for Snowmass (2001)

882 views • 51 slides
Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability High Performance How to sleep without the server-crash-fear Samstag, 3. November 12 High Availability Samstag, 3. November 12 High Availability

1.01k views • 79 slides
In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB

In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB

In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB Team M. Abo-Khamis, H. Ngo, X. Nguyen http://www.cs.ox.ac.uk/projects/FDB/ Recent Trends in Knowledge Compilation Dagstuhl, Sept 2017 1 / 32 We

646 views • 36 slides
Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers

Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers

Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers and Looks Petr ILLEK Front-End developer Morpht.com The team 2 years of development Countless iterations and refactoring Murray Vt

514 views • 34 slides
SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides

More recommend