SlideShare a Scribd company logo

Doing Drupal security right from Drupalcon London

Gábor Hojtsy
Gábor Hojtsy

This document summarizes a presentation on doing Drupal security right. It discusses common security issues like SQL injection, cross-site scripting, authentication and session security. It provides the Drupal approach to addressing each issue through secure APIs and modules. It also discusses open source security in general and notes that Drupal security is supported by a volunteer team working to ensure the security of Drupal core and contributed projects.

Technology
1 of 62
Downloaded 55 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
Site Building and Environment Set-up Doing Drupal security right Presented by Gábor Hojtsy, Acquia with special thanks to Greg Knaddison, Four Kitchens and Jakub Suchy
Why I’m here? • Maintainer for Drupal 6 • De-facto member of the security team
Why are you here? • Managers? • Site builders? • Themers? • Developers?
Doing Drupal security right from Drupalcon London
Are you affected?
With relatively simple holes, your administrator user can be taken over.
https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project
Security misconfiguration
Heard of the mid- April wordpress.com attack?
Secure server • Avoid using FTP at all cost, check your client tool • Who do you share your server with? Are you confident? Run other apps? • Keep your OS, PHP, SQL server, etc. up to date
Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Look into using paranoia.module • Watch your input formats (you can be googled) • Check out the security_review module.
Injection
index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
Drupal approach • db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array(‘:value’ => $value, ‘:id’ => $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
Cross Site Scripting (XSS)
index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access. Unsafe tags in other formats.
64% likelihood a website has a Cross site scripting issue https://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss Technique (with code changes) works up to Drupal 6
Drupal approach No No No No URL Plain Rich HTML Trusted check_url() check_plain() check_markup() filter_xss() HTML output
Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
Not all output is HTML
Authentication & sessions
• Weak password storage and account management •Session hijacking / fixation • Lack of session timeout / logout
Drupal approach • Passwords are stored hashed • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
Insecure direct object references
index.php?id=12 db_query(“SELECT * FROM {node} WHERE nid = :id”, array(‘:id’ => $_GET[‘id’]));
Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • $select->addtag(‘node_access’); • Form API checks for data validity
Cross Site Request Forgery (CSRF)
<img src=”http://example.com/ user/logout” />
http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?delete=12” />
Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/ validate tokens for GET requests
Insecure cryptographic storage
Drupal approach • Drupal stores user passwords hashed with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Modules exist to help encrypt more data • Up to you to ensure backups are properly protected
Failure to restrict URL access
Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
Insufficient transport protection
Heard of Firesheep?
Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://drupalscout.com/knowledge-base/ drupal-and-ssl-multiple-recipes- possible-solutions-https • Use a valid certificate
Unvalidated redirects
http://example.com/index.php? target=evil.com
Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project
Is Open Source secure?
“Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
“Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
Is Drupal secure?
Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
Design. Educate. Fix.
What’s supported? • Drupal core and all(!) contributed projects on drupal.org • Stable releases (development versions only for very popular modules) • Not actively looking for vulnerabilities in contributed modules • Only current and one earlier versions are supported: now 7.x and 6.x
Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/node/ 101494 • Reporting cracked sites: http://drupal.org/ node/213320 • Discuss general issues: http:// groups.drupal.org/best-practices-drupal- security
Doing Drupal security right from Drupalcon London
These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation created by Gábor Hojtsy Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
Questions?
Doing Drupal security right from Drupalcon London
What did you think?
What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule
What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link
What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link THANK YOU!

More Related Content

What's hot (20)

PPTX
Introduction to Monsoon PHP framework
Krishna Srikanth Manda
 
PDF
Building Web Sites that Work Everywhere
Doris Chen
 
PDF
Blisstering drupal module development ppt v1.2
Anil Sagar
 
PPT
Jsp
Manav Prasad
 
PDF
Best Practices for WordPress
Taylor Lovett
 
PDF
Real World REST with Atom/AtomPub
Peter Keane
 
PPTX
Responsive Layout Frameworks for XPages Application UI
Chris Toohey
 
PDF
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PPTX
SEA Open Hack - YQL
Jonathan LeBlanc
 
PDF
Pattern Library in WordPress projects
Karlis Upitis
 
PDF
Angular mobile angular_u
Doris Chen
 
PDF
Angular or Backbone: Go Mobile!
Doris Chen
 
ODP
HTML 5 Drupalcamp Ireland Dublin 2010
alanburke
 
PDF
Migrating to Drupal 8: How to Migrate Your Content and Minimize the Risks
Acquia
 
PDF
Advancing JavaScript with Libraries (Yahoo Tech Talk)
jeresig
 
PDF
Build Amazing Add-ons for Atlassian JIRA and Confluence
K15t
 
PPTX
WordPress Themes 101 - PSUWeb13 Workshop
Curtiss Grymala
 
PPTX
Solr
Peter Svehla
 
PDF
State of search | drupalcamp ghent
Joris Vercammen
 
PDF
Web & Wireless Hacking
Don Anto
 
Introduction to Monsoon PHP framework
Krishna Srikanth Manda
 
Building Web Sites that Work Everywhere
Doris Chen
 
Blisstering drupal module development ppt v1.2
Anil Sagar
 
Jsp
Manav Prasad
 
Best Practices for WordPress
Taylor Lovett
 
Real World REST with Atom/AtomPub
Peter Keane
 
Responsive Layout Frameworks for XPages Application UI
Chris Toohey
 
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
SEA Open Hack - YQL
Jonathan LeBlanc
 
Pattern Library in WordPress projects
Karlis Upitis
 
Angular mobile angular_u
Doris Chen
 
Angular or Backbone: Go Mobile!
Doris Chen
 
HTML 5 Drupalcamp Ireland Dublin 2010
alanburke
 
Migrating to Drupal 8: How to Migrate Your Content and Minimize the Risks
Acquia
 
Advancing JavaScript with Libraries (Yahoo Tech Talk)
jeresig
 
Build Amazing Add-ons for Atlassian JIRA and Confluence
K15t
 
WordPress Themes 101 - PSUWeb13 Workshop
Curtiss Grymala
 
Solr
Peter Svehla
 
State of search | drupalcamp ghent
Joris Vercammen
 
Web & Wireless Hacking
Don Anto
 

Similar to Doing Drupal security right from Drupalcon London (20)

PDF
Drupal security
Jozef Toth
 
ODP
Drupal Security Hardening
Gerald Villorente
 
ODP
Drupal Security Hardening
Gerald Villorente
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
PPT
Drupal security
Techday7
 
PDF
Drupal Security Seminar
Calibrate
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
KEY
Drupal Security Intro
Cash Williams
 
PDF
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
PPT
Hack-Proof Your Drupal App
Erich Beyrent
 
PPTX
Drupal Security: What You Need to Know
Mediacurrent
 
PDF
Security - Drupal Decision Makers training
scorlosquet
 
PDF
Understanding and Implementing Website Security
Drew Gorton
 
ODP
Scout xss csrf_security_presentation_chicago
knaddison
 
PDF
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Is Drupal Secure?
David Timothy Strauss
 
Drupal security
Jozef Toth
 
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Gerald Villorente
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Drupal security
Techday7
 
Drupal Security Seminar
Calibrate
 
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
Drupal Security Intro
Cash Williams
 
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
Hack-Proof Your Drupal App
Erich Beyrent
 
Drupal Security: What You Need to Know
Mediacurrent
 
Security - Drupal Decision Makers training
scorlosquet
 
Understanding and Implementing Website Security
Drew Gorton
 
Scout xss csrf_security_presentation_chicago
knaddison
 
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Is Drupal Secure?
David Timothy Strauss
 
Ad

More from Gábor Hojtsy (17)

PDF
Open source project management at scale
Gábor Hojtsy
 
PDF
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
PDF
Drupal 8 multilingual APIs
Gábor Hojtsy
 
PDF
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
PDF
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
PDF
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
PDF
Multilingual Drupal
Gábor Hojtsy
 
PDF
Drupal security - Configuration and process
Gábor Hojtsy
 
PDF
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
PDF
Come for the software, stay for the community
Gábor Hojtsy
 
PDF
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
PDF
Here comes localize.drupal.org!
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
PDF
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Open source project management at scale
Gábor Hojtsy
 
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
Drupal 8 multilingual APIs
Gábor Hojtsy
 
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
Everything multilingual in Drupal 8
Gábor Hojtsy
 
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
Multilingual Drupal
Gábor Hojtsy
 
Drupal security - Configuration and process
Gábor Hojtsy
 
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
Come for the software, stay for the community
Gábor Hojtsy
 
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
Here comes localize.drupal.org!
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Ad

Recently uploaded (20)

PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PDF
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PPT
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 

Doing Drupal security right from Drupalcon London

  • 3. Site Building and Environment Set-up Doing Drupal security right Presented by Gábor Hojtsy, Acquia with special thanks to Greg Knaddison, Four Kitchens and Jakub Suchy
  • 4. Why I’m here? • Maintainer for Drupal 6 • De-facto member of the security team
  • 5. Why are you here? • Managers? • Site builders? • Themers? • Developers?
  • 8. With relatively simple holes, your administrator user can be taken over.
  • 11. Heard of the mid- April wordpress.com attack?
  • 12. Secure server • Avoid using FTP at all cost, check your client tool • Who do you share your server with? Are you confident? Run other apps? • Keep your OS, PHP, SQL server, etc. up to date
  • 13. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
  • 14. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Look into using paranoia.module • Watch your input formats (you can be googled) • Check out the security_review module.
  • 16. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
  • 17. Drupal approach • db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array(‘:value’ => $value, ‘:id’ => $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
  • 19. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access. Unsafe tags in other formats.
  • 20. 64% likelihood a website has a Cross site scripting issue https://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
  • 21. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss Technique (with code changes) works up to Drupal 6
  • 22. Drupal approach No No No No URL Plain Rich HTML Trusted check_url() check_plain() check_markup() filter_xss() HTML output
  • 23. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
  • 24. Not all output is HTML
  • 26. • Weak password storage and account management •Session hijacking / fixation • Lack of session timeout / logout
  • 27. Drupal approach • Passwords are stored hashed • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
  • 29. index.php?id=12 db_query(“SELECT * FROM {node} WHERE nid = :id”, array(‘:id’ => $_GET[‘id’]));
  • 30. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • $select->addtag(‘node_access’); • Form API checks for data validity
  • 31. Cross Site Request Forgery (CSRF)
  • 34. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/ validate tokens for GET requests
  • 36. Drupal approach • Drupal stores user passwords hashed with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Modules exist to help encrypt more data • Up to you to ensure backups are properly protected
  • 37. Failure to restrict URL access
  • 38. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
  • 41. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://drupalscout.com/knowledge-base/ drupal-and-ssl-multiple-recipes- possible-solutions-https • Use a valid certificate
  • 44. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  • 46. Is Open Source secure?
  • 47. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
  • 48. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
  • 50. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
  • 51. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
  • 53. What’s supported? • Drupal core and all(!) contributed projects on drupal.org • Stable releases (development versions only for very popular modules) • Not actively looking for vulnerabilities in contributed modules • Only current and one earlier versions are supported: now 7.x and 6.x
  • 54. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/node/ 101494 • Reporting cracked sites: http://drupal.org/ node/213320 • Discuss general issues: http:// groups.drupal.org/best-practices-drupal- security
  • 56. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation created by Gábor Hojtsy Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  • 59. What did you think?
  • 60. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule
  • 61. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link
  • 62. What did you think? Locate this session on the DrupalCon London website: http://london2011.drupal.org/conference/schedule Click the “Take the survey” link THANK YOU!