Post on 21-Jan-2017
transcript
Drupal and SecurityWhat you need to know
Stephane Corlosquet29th September 2015
Stéphane"scor"Corlosquet
9+ years with Drupal
Drupal Security Team member
RDF in core + contrib
Definitive Guide to Drupal 7
We're hiring
Lotsofthingstocover
Server environment
Server config
Personal practices
Drupal Configuration
Code
A disaster foretold — and ignored
Generaltips
Use HTTPS, SSH, SFTP
Strong password policy
Server – LAMP stack
Require SSH keys
Take & verify your backups
for sharingSanitize backups
Securesiteconfiguration
Keep your site settings secure
Text formats
PHP module
PHP in other modules
Roles and permissions
Securesiteconfiguration
File permissions: web server user forbidden to change
code
PHP execution: restrict in .htaccess or Nginx config
Drupal handbook for securing your site
Drupalspecifichosting
Can your hosting provider help you improve your
security process?
&
Tuned for Drupal security (and performance)
Code, DB, uploaded files, config
Managed security updates
Acquia Cloud Insight
Acquia Remote administration
Modulesenhancingsecurity
/
Secure Login
Paranoia
Security Review
Permissions Lock
Hacked!
Password policy Password strength
Two Factor Authentication
PCI,HIPAA,SOC1,SOC2,SCADA
Be aware of the regulations in your environment
Anyone work in HIPAA environment?
FedRAMP/FISMA Certification & Accreditation (C&A)?
Anyone work with Drupal in SCADA environment?
Drupal PCI Compliance Report
Securityprocess
Ongoing maintenance
Budget for security
Managed hosting
Drupal.org packaging infrastructure
Securityprocess
Keep Drupal code secure in core and contrib
Educate the community on security best practices
Developers
Site builders
Site administrators and users
Decision makers
for every security release
Drupal Security Team
Security Advisory
Securityprocess
https://www.acquia.com/blog/keeping-drupal-secure
Whatarethemostcommon
issues?
Whatarethemostcommon
issues?
WhatisXSS?
Cross Site Scripting
Code in the browser
Making requests
Parsing responses
Javascript, Flash, Java, etc.
TestingforXSS
<script>alert('title');</script>
<img src="a" onerror="alert('title');">
Catches 90%
FixingXSS?
Filter text
On output to browser
As late as reasonable
Some API filters where reasonable
t() and @text and %text placeholders
WhatisAccessBypass?
User can see or do something
That permissions/access should prevent
Wheredoweenforceit?
Menu 'access callback'
if(user_access('see something'));Node access system
Entity access
Field access
Services & Ajax apis?
In templates
TestingforAccessBypass
Visit node/nid etc.
Visit anything/%node
Use behat
FixingAccessBypass?
user_access for permissions
node_accessentity_access$query->addTag('node_access');menu definitions
write automated tests
WhatisCSRF?
path that does not confirm intent
<img src=" " >http://example.com/node/1/quickdelete
TestingforCSRF
$_GET, $_POST, no use of drupal_get_token()
"verb" menu callbacks without token
FixingCSRF?
Use Form API: confirmation forms
Send and validate tokens
Protect Against CSRF webinar with greggles
Drupalgeddon-coreSQL
injection2014
SQL injection lead to arbitrary code execution
Plan your security updates!
Exploited soon after the release
Mitigated on Acquia Cloud
Handbook for how to recover from a breach
Drupal7
Securityimprovements
Drupal7
Stronger password hashing / salt
Login flood control
prevents brute-force credential guessing
Protected cron
prevents Denial of Service attacks
Update manager
Update module from the web UI
Drupal7UpdateManager
Drupal7UpdateManager
Notifications
Drupal8
Securityimprovements
Drupal8:Twig
Automatically sanitizes strings on output
# Drupal 7 if (isset($variables['link_path'])) { $output = l($variables['name'] . $variables['extra'], $variables['link_path'], $variables } else { $output = '<span' . drupal_attributes($variables['attributes_array']) . '>' . $variables } return $output;
# Drupal 8 {% if link_path -%} <a{{ attributes }}>{{ name }}{{ extra }}</a> {%- else -%} <span{{ attributes }}>{{ name }}{{ extra }}</span> {%- endif -%}
Drupal8:Twig
No PHP in templates
{% if link_path -%} <a{{ attributes }}>{{ name }}{{ extra }}</a>{%- else -%} <span{{ attributes }}>{{ name }}{{ extra }}</span>{%- endif -%}
Drupal8:WYSIWYGincore
Streamlined filter mechanism (server and client side)
No more full HTML as last resort
Drupal8:PHP
Removed PHP module
Drupal8:Built-inCSRFtokens
CSRF tokens built in the routing system
# views_ui.routing.ymlviews_ui.enable: path: '/admin/structure/views/view/{view}/enable' defaults: _controller: '\Drupal\views_ui\Controller\ViewsUIController::ajaxOperation' op: enable requirements: _entity_access: view.enable _csrf_token: 'TRUE'
Drupal8:lotsmorehardening
PDO MySQL limited to executing single statements
PHP execution in subfolders forbidden in .htaccess
Clickjacking protection per default with X-Frame-
Options
Hashed user session IDs in the DB
Trusted hosts pattern to restrict URL domains
Blog post: 10 Ways Drupal 8 Will Be More Secure
References
Drupal Security Advisories
Drupal Security Team
Drupal Security report
Drupal Security Best Practices guide
DGD7 chapter 6
https://groups.drupal.org/security
Security on docs.acquia.com
Thanks!
Got questions?
Contact
@scorlosquet
scor@acquia.com