Date post: | 21-Jan-2015 |
Category: |
Technology |
Upload: | acquia |
View: | 954 times |
Download: | 0 times |
Certification & Accreditation for Your Open Government Applications
Chuck D’Antonio and Jason Ingalls
Acquia Introduction
Drupal expertiseDrupal expertise
Enterprise software Enterprise software and government and government services services experienceexperience
60+ employees60+ employees
Acquia, the Enterprise Guide to Drupal
Web Application Web Application Development Development SecuritySecurity
Security TestingSecurity Testing
Incident ResponseIncident Response
GDIT, Information Assurance Experts
© 2009 Acquia, Inc.
Help! I need to C&A my Drupal site!How do I assure How do I assure trust in Open Source trust in Open Source software?software?
Will I need a new set Will I need a new set of processes and of processes and controls?controls?
What resources are What resources are available to me?available to me?
© 2009 Acquia, Inc.
Myths of Drupal & Open Source Security
PHP is less secure PHP is less secure than ... than ...
Open Source is easier to Open Source is easier to attackattack
Lack of resources such Lack of resources such documentation and documentation and versioning information versioning information for Open Source for Open Source
There aren’t a lot of C&A There aren’t a lot of C&A resources availableresources available
© 2009 Acquia, Inc.
Myths of Drupal & Open Source Security
PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out there. Security is a out there. Security is a process, not a product.process, not a product.
© 2009 Acquia, Inc.
Myths of Drupal & Open Source Security
PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there
Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediationremediation
© 2009 Acquia, Inc.
Myths of Drupal & Open Source Security
PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there
Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediation. remediation.
Documentation exists for Documentation exists for Open Source in many Open Source in many different forms, not different forms, not necessarily what could necessarily what could be considered traditional be considered traditional knowledge bases knowledge bases
© 2009 Acquia, Inc.
Myths of Drupal & Open Source Security
PHP is as or more secure PHP is as or more secure than other available than other available dynamic web engines dynamic web engines out thereout there
Open Source means Open Source means massive collaboration, massive collaboration, high visibility, and a high visibility, and a large pool of resources large pool of resources for vulnerability for vulnerability discovery and discovery and remediation. remediation.
Documentation exists for Documentation exists for Open Source in many Open Source in many different forms, not different forms, not necessarily what could necessarily what could be considered traditional be considered traditional knowledge basesknowledge bases
Publications from NSA, Publications from NSA, DISA, etc. DISA, etc.
© 2009 Acquia, Inc.
Components of a successful C&A packetSystem boundariesSystem boundaries
Security Security CategorizationCategorization
Risk AnalysisRisk Analysis
System Security System Security PlanPlan
System Test and System Test and EvaluationEvaluation
Plan of Action and Plan of Action and MilestonesMilestones
C&A Tools and Processes
Make your C&A packet Make your C&A packet work for youwork for you
Integrate reviews Integrate reviews early in your system early in your system lifecyclelifecycle
Use a mix of tools to Use a mix of tools to validate your controlsvalidate your controls
Coding standardsCoding standards
Code analysisCode analysis
Functional testsFunctional tests
ScannersScanners
FuzzersFuzzers
Leverage available Leverage available informationinformation
Our collaborative approach to C&A
Incorporate security Incorporate security expertise into your expertise into your development teamdevelopment team
Collaborate on Collaborate on controls and controls and remediationremediation
Include C&A Include C&A activities in your activities in your project milestonesproject milestones
Address security Address security issues with each issues with each development development iterationiteration
Developing the right controls
Don’t over engineer Don’t over engineer your controlsyour controls
Leverage your Leverage your existing policies & existing policies & proceduresprocedures
Focus on the entire Focus on the entire systemsystem
Define validation Define validation plans in parallel with plans in parallel with controlscontrols
Take advantage of Take advantage of the Drupal the Drupal communitycommunity
Take advantage of available support
Community security Community security patches and bulletinspatches and bulletins
Clear processes for Clear processes for addressing addressing vulnerabilitiesvulnerabilities
Commercial vendorsCommercial vendors
Formal channels to Formal channels to report and resolve report and resolve issuesissues
Guaranteed levels Guaranteed levels of responseof response
Addresses many of Addresses many of the concerns of the the concerns of the C&A processC&A process
Bringing the process to completion
Verify Verify
Ensure your Ensure your statements have statements have been demonstrated been demonstrated
Review Review
Fix those errors! Fix those errors!
Finalize Finalize
Get sign off by Get sign off by process owners process owners Submit Submit
Maintain recordsMaintain records
Obtaining your ATO
Launch Launch
Follow the POA&M Follow the POA&M
Maintain the Packet Maintain the Packet
Ensure compliance Ensure compliance
Perform reviewsPerform reviews
Questions and More Information
For more information, visit us For more information, visit us at:at:
http://acquia.comhttp://acquia.com
http://twitter.com/acquiagovhttp://twitter.com/acquiagov
Contact Acquia:Contact Acquia:
[email protected]@acquia.com
888-9-ACQUIA888-9-ACQUIA
Contact presenters:Contact presenters:
[email protected]@acquia.com
[email protected]@gdit.com
For additional Open For additional Open Government resources, visit:Government resources, visit:
http://acquia.com/http://acquia.com/governmentgovernment
Sign up for a free 30-day Acquia Sign up for a free 30-day Acquia Network trialNetwork trial
http://acquia.com/trialhttp://acquia.com/trial