secure drupal development
play

Secure Drupal Development Steven Van den Hout Steven Van - PowerPoint PPT Presentation

Feb 04, 2024 •114 likes •641 views

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

  1. Secure ¡Drupal ¡Development ¡ Steven ¡Van ¡den ¡Hout ¡

  2. Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout

  3. SECURE? 1 IS D DRUPAL AL S

  4. IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open code does not make it easier for hackers - Open Source makes people look at it - Popularity gets more eyes and more peer-reviews • Bad open-source software as bad • as bad private software.

  5. OWASP VULNERABILITIES - Injection - Cross Site Scripting - XSS - Broken Authentication and Session Management - Cross Site Request Forgery - CSRF - Security Misconfguration - Failure to Restrict URL Access ¡ - Access bypas

  6. REPORTED VULNERABILITIES

  7. IS DRUPAL SECURE? - Safe by design (Core and API) - Security Team - Highly organised - Documented process for Security Advisories and Updates - Thousands of maintainers, users and experts - Support: Drupal 6/7, Core & Contributed Modules

  8. RE 2 KEEP Y YOUR DRUPAL AL W WEBSITE SE SECU CURE

  9. SECURITY IS A PROCESS NOT AN EVENT

  10. A DRUPAL SECURITY RELEASE • FROM REPORTED ISSUE TO SECURITY UPDATE

  13. PRIVATE DISCLOSURE YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE

  14. UPDATES ¡ Always stay up to date - Keep up with latest security releases Update Work fl ow - Hacked module + di ff - Drush up

  15. UPDATE MANAGER KNOW WHEN AN UPDATE IS NEEDED

  16. STATUS MONITORING INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE Tools - Droptor.com (https://drupal.org/project/droptor) - Acquia Insight (https://drupal.org/project/ acquia_connector) - Nagios (https://drupal.org/project/nagios) - Drupalmonitor.com (https://drupal.org/project/ drupalmonitor) - …

  18. WEBSITE 3 BUILD A S A SECURE D DRUPAL AL W

  19. CONTRIBUTED MODULES

  20. CONTRIBUTED MODULES Quality assurance - Usage - Number of open issues - Closed/Open ratio Response time - ¡ Good quality usually means good security ¡ ¡ Manual code reviews for less used modules ¡ ¡ ¡

  21. UPDATES ¡ Always stay up to date - Keep up with latest security releases Update Work fl ow - Hacked module + di ff - Drush up

  22. PATCHES ¡ Contrib patches ¡ Read the entire issue ¡ ¡ Commit custom patches ¡ Help out ¡ Feedback from other users (maintainers) ¡ Patch might get commited ¡ ¡ ¡ Patch management ¡ Move module to patched ¡ Create a patches.txt ¡ Keep patches ¡ ¡ ¡

  23. CUSTOM MODULES

  24. SECURITY PYRAMID ¡ Theme ¡ ¡ ¡ ¡ DB API ¡ Form API ¡ Menu & Node Access ¡

  25. HAC ACKS AN AND H HOW T TO P O PREVENT T THEM

  26. SQL INJECTION ¡ h4p://xkcd.com/327/ ¡ "SELECT * FROM user WHERE name = '$name'" ¡ ¡ "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'" ¡ ¡ ¡

  27. SQL INJECTION ¡ Placeholders ¡ ¡ ¡ db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user); ¡ ¡ ¡ Dynamic Queries ¡ ¡ ¡ ¡ $query = db_select('user', 'u') ¡ -> fi elds('u') ¡ ->where('name', $user) ¡ ->execute(); ¡

  28. XSS (cross site scripting) ¡ EXECUTING ABRITRARY JAVASCRIPT CODE ON THE PAGE

  29. XSS (cross site scripting) ¡ User Input ¡ ¡ ¡ Title ¡ Body ¡ Log message ¡ Url ¡ Post ¡ User-Agent ¡ Headers ¡ ¡ ¡

  30. XSS (cross site scripting) ¡ Validate forms ¡ ¡ ¡ User input should never contain javascript ¡ ¡ ¡ Form api ¡ ¡ ¡ ¡ Never use $_POST variables ¡ $form_state['values'] ¡ ¡ Form caching ¡

  31. XSS (cross site scripting) ¡ Input formats ¡ Filter Functions ¡ check_url() ¡ Never use full_html ¡ ¡ ¡ ¡ check_plain() ¡ ¡ ¡ ¡ check_markup() ¡ ¡ fi lter_xss() ¡

  32. XSS (cross site scripting) ¡ h4p://drupalscout.com/knowledge-­‑base/drupal-­‑text-­‑filtering-­‑cheat-­‑sheet-­‑drupal-­‑6 ¡

  33. XSS (cross site scripting) ¡ Functions ¡ ¡ ¡ ¡ t() ¡ @var => plain text ¡ ¡ %var => plain text ¡ !var => full html! ¡ l() drupal_set_title() ¡ ¡ ¡

  34. CSRF (cross site request forgery) ¡ Taking action without con fi rming intent ¡ ¡ ¡ <a href=”/delete/user/1”>Delete user 1</a> ¡ ¡ ¡ Image Tag ¡ ¡ ¡ ¡ <img src=”/delete/user/1”> ¡ A hacker posts a comment to the administrator. ¡ When the administrator views the image, user 1 gets deleted ¡ ¡ ¡

  35. CSRF (cross site request forgery) ¡ Token (aka Nonce) ¡ ¡ ¡

  36. ACCESS BYPASS ¡ VIEW CONTENT A USER IS NOT SUPPOSED TO

  37. ACCESS BYPASS ¡ View content a user is not supposed to ¡ ¡ ¡ $query = db_select('node', 'n')-> fi elds('n'); ¡ Also shows nodes that user doesn't have acces to ¡ ¡ ¡ $query->addTag('node_access') ¡ ¡ ¡ ¡ Rewrite the query based on the node_access table ¡

  38. ACCESS BYPASS ¡ Bad custom caching ¡ ¡ ¡ Administrator visits a block listing nodes. ¡ The block gets cached ¡ ¡ The cached block with all nodes is shown to the anonymous user ¡ ¡ Add role id to custom caching ¡

  39. ACCESS BYPASS ¡ Rabbit_hole module ¡ ¡ ¡ Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Page manager can do the same. ¡ Field access ¡ ¡ ¡ $form['#access'] = custom_access_callback(); ¡ ¡ Menu access ¡ ¡ ¡ ¡ $item['access callback'] = 'custom_access_callback', ¡

  40. CORRECT USE OF API ¡ Form API ¡ Validation Form state Drupal_valid_token ¡ ¡ DB API ¡ db_select, db_insert, placeholders ¡ $query->addTag(‘node_access’); ¡ ¡ ¡ Filter ¡ check_url, check_plain, check_markup, fi lter_xss, … ¡ t(), l(), drupal_set_title(), … ¡ ¡ ¡

  41. THEMES

  42. THEMES ¡ Themer not responsible ¡ ¡ ¡ Preprocess functions ¡ ¡ ¡

  43. CONFIGURATION

  44. PERMISSIONS ¡ Permission management ¡ ¡ ¡ If Joe from advertising can give the full html fi lter format to anonymous user, don't bother to think about security ¡ ¡ ¡ Split up permissions ¡ ¡ ¡ The default permissions don't cover every use case ¡ ¡ ¡

  45. PERMISSIONS ¡

  46. FILTER FORMATS ¡ Never use full_html ¡ Never use php fi lter ¡ ¡ ¡ Use a custom module for code ¡ ¡ ¡ Use fi ltered_html instead. ¡ Versioning ¡ ¡ Bad performance (eval) ¡ ¡ ¡ ¡

  47. CHECKLIST

  48. CHECKLIST ¡ Never use ¡ Permissions ¡ ¡ Trusted users only full_html ¡ Split up permissions Php fi lter ¡ ¡ ¡ ¡ ¡ API ¡ ¡ ¡ Preprocess functions ¡ check_plain, fi lter_xss ¡ DB API ¡ Form API ¡ Tokens ¡ Menu/Node Access ¡

  49. GREAT ¡ HOW ABOUT DRUPAL 8?

  50. FURTHER READING

  51. FURTHER READING ¡ Books ¡ Cracking Drupal !! ¡ Pro Drupal Development Online ¡ https://drupal.org/writing-secure-code ¡ https://drupal.org/node/360052 ¡ http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html ¡ http://drupalscout.com/knowledge-base ¡ Video ¡ How to avoid All your base are belong to us (drupalcon Denver) ¡ ¡ ¡

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama Currently: Manager, Web Development @ Highlights for Children Yes Were Hiring! Started with Drupal in 2007 (Drupal 5.2) Past Roles: Owned a small

546 views • 31 slides
The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open

The Story of an Insecure Module Secure Drupal Development Intros Mark Shropshire (shrop) Open Source Security Lead Mark brings 20 years of experience leading technical teams to his role as Mediacurrents Open Source Security Lead. He is a

594 views • 38 slides
Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices flowing, and help give a broad overview of Drupal jargon, Drupal Architecture &amp; the Drupal Community... May 21st, 2010 - SNHU, Manchester, NH

1.12k views • 52 slides
THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Saturday, February 2, 13 TESTING DRUPAL WITH GHOSTS AND GHERKINS USING CASPERJS AND BEHAT TO TEST DRUPAL SITES Saturday, February 2, 13 STEVEN MERRILL Director of Engineering

1.54k views • 63 slides
Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and Cons) Examples of what Drupal can do How to download and install Drupal How to use Drupals user interface What is Drupal? Drupal

319 views • 18 slides
FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About

FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About

FormAPI + Drupal 8 Form and AJAX Mikhail Kraynuk Mikhail Kraynuk Drupal Senior Developer About my experience in Drupal development Development Project management Drupal audit Drupal Localization Mikhail Kraynuk Drupal

625 views • 21 slides
Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development - http://bit.ly/d8-esa About me Francesco Placella, plach on drupal.org, from Venice, Italy Senior Performance Engineer at Tag1 Consulting Working with Drupal

633 views • 39 slides
Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson DrupalCamp Florida March 2016 Drupal Drupal Drupal Drupal Drupal Drupal Drupal User Stories Demo Site Drupal 8 core Bootstrap subtheme

537 views • 24 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL

Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL

Project a Secure Web 2.0 (using Drupal) Paolo Ottolino PMP CISSP-ISSAP CISA CISM OPST ITIL paolo.ottolino (at) isc2chapter-italy.it May XX, 2016 Agenda Web 2.0 &amp; CMS CMS Cyber Risk Drupal Security Agenda Web 2.0 &amp; CMS Needs,

286 views • 26 slides
DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal Camp 2014 | Orlando, Florida DRUPAL [ REMOTELY ] WHATS ON THE MENU TODAY? Working Remotely Challenges Finding Remote Employment [

578 views • 19 slides
Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time

Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time

Automating Drupal Migrations How to go from an Estimated One Week to Two Minutes Down Time About Dan Harris Founder Webdrips.com Drupal-based web design and development shop Founded in July, 2011. Nine years Drupal experience

1.08k views • 38 slides
2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin drupal.org/u/pwolanin Track: Core Conversations events.drupal.org/dublin2016/sessions/routing-drupal-9-and-lessons-learned-drupal-8 This is a Conversation If I get

631 views • 23 slides
Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December

Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December

Why Drupal, Why Now? Real Impact: 7 (-ish) Case Studies of Drupal in Government Monday, December 12, 11 1 First, Why Open Source? No vendor lock-in (own your data) Extensibility: a voice in future development Benefit from the Community,

399 views • 28 slides
Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting Drupals default behavior simply provide a guide for your design. Drupal for Designers by Dani Nordin http://my.safaribooksonline.com

736 views • 26 slides
Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal

Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal

Speed Up Drupal 8 deliveries with CICD Pipeline gobinathm 1 GM Agenda DevOps in Drupal Benefits of our Adaptation 2 Who am I Platform Architect / Technical Manager Works in Web / Mobile Application Development, with

573 views • 10 slides
Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L.

Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L.

Torus actions in the normalization problem Jasmin Raissy Dipartimento di Matematica &quot;L. Tonelli&quot; Universit di Pisa School-Conference in Complex Analysis and Geometry CIRM, July 1317, 2009 Jasmin Raissy (Universit di Pisa)

1.01k views • 65 slides
AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial

AAPICO HITECH PLC [AH] Agenda 1. Company Profile 2. Industry Overview 3. Financial Performance 4. Strategy and Direction 2 Company Profile AAPICO HITECH PLC [AH] AAPICO HITECH PUBLIC COMPANY LIMITED Established in 1996 and listed on

562 views • 34 slides
Animated Mirn Du ff y Interaction Designer, Red Hat GIFs with @mairin &lt;du ff

Animated Mirn Du ff y Interaction Designer, Red Hat GIFs with @mairin &lt;du ff

Animated Mirn Du ff y Interaction Designer, Red Hat GIFs with @mairin &lt;du ff y@redhat.com&gt; GIMP Remy DeCausemaker Hackademic &amp; Storyteller @Remy_D WORKSHOP &lt;Remy@DeCausemaker.org&gt; While you wait... download these fi les!

615 views • 40 slides
http://cmp.imag.fr CMP annual users meeting, 4 Feb. 2016, PARIS Pr Process Portf rtfolio lio fr

http://cmp.imag.fr CMP annual users meeting, 4 Feb. 2016, PARIS Pr Process Portf rtfolio lio fr

its M ul ti P ro C ir ircu cuits ulti rojets MPW Services Center for IC / MEMS Prototyping http://cmp.imag.fr Grenoble France CMP annual users meeting, 4 Feb. 2016, PARIS STMicroelectronics Standard Technology offers at CMP in 2016

679 views • 16 slides
DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east

WHY SHOULD I CARE ABOUT DISTRICTWIDE ENROLLMENT? Traffic between East PHR and Ashley Falls School Traffic from east of I-5 to Del Mar Heights School

530 views • 6 slides
International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher

International Framework of Investment Law Dr Rodrigo Polanco Senior Lecturer and Researcher World Trade Institute November 2017 Outline Why people invest abroad? Treatment of Aliens under International Law - Domestic Law - Diplomatic

267 views • 25 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides

More recommend