A bug's life - Decoupled Drupal Security and Vulnerability Management
Download as PPTX, PDF0 likes205 views
The document discusses security concepts and best practices for software development. It covers topics like security awareness training, organizational security structures, vulnerability assessments, penetration testing, and the three pillars of security - confidentiality, integrity, and availability. Security is discussed across various stages of the development lifecycle from planning to ongoing maintenance.
A bug's life - Decoupled Drupal Security and Vulnerability Management
- 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source days (SecOSdays) Active mentor @ Mentoring community group TATAR BALAZS JANOS @tatarbj WHO AM I?
- 3. A bug’s life Security awareness at work Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/ TATAR BALAZS JANOS @tatarbj
- 4. SECURITY AWARENESS Security measures at our work place � Programs to educate employees � DevSecOps � Individual responsibilities for company security policies � Measures to audit these efforts Source: http://www.bugs.org/dream/teachers/index.html TATAR BALAZS JANOS @tatarbj
- 5. ORGANISATIONAL STRUCTURES � Top-down approach � Creating security policies � Assessing your company’s vulnerabilities � Investing in security technologies Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/ TATAR BALAZS JANOS @tatarbj
- 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses � Using different forms of Media to reinforce the Message � Highlight recent attacks in News � Seek the Services of a Professional Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters TATAR BALAZS JANOS @tatarbj
- 7. Security issues are bugs with different severity and business impact. TATAR BALAZS JANOS @tatarbj �
- 8. THE BUG Programming malfunction � Authentication / Authorization / Data confidentiality / Data integrity � No blaming game! Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/ TATAR BALAZS JANOS @tatarbj
- 9. The Eggs Planning and Security by Design Source: https://pixabay.com/vectors/search/ant/ TATAR BALAZS JANOS @tatarbj
- 10. PLANNING PHRASE At the start of every IT projects � Budgeting issues � Continuous education � Iterative approach Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/ TATAR BALAZS JANOS @tatarbj
- 11. THINKING EVIL™ Method by Andrew van der Stock TATAR BALAZS JANOS @tatarbj �
- 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? TATAR BALAZS JANOS @tatarbj �
- 13. If I were evil, how would I abuse this feature? TATAR BALAZS JANOS @tatarbj �
- 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? TATAR BALAZS JANOS @tatarbj �
- 15. SECURITY PRINCIPLES I. First and second-parties � Minimize attack surface area � Establish secure defaults � Least privilege � Defense in depth � Fail securely Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
- 16. SECURITY PRINCIPLES II. Third-parties � Don’t trust services � Separation of duties � Avoid security by obscurity � Keep security simple � Fix security issues correctly Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/ TATAR BALAZS JANOS @tatarbj
- 17. The Caterpillar Development iterations until the first release TATAR BALAZS JANOS @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
- 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. TATAR BALAZS JANOS @tatarbj ⚠
- 19. THE BASIC SKILLS The secure mind-set � Protection from disclosure/alteration/destruction � Rights and privileges belonging to the requester � Ability to build historical evidence � Management of configuration, sessions and errors/exceptions Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata TATAR BALAZS JANOS @tatarbj
- 20. APPLICATION LEVEL SECURITY Protection of your application � Sanitize inputs at the client side and server side � Verify file upload functionality � Use only current encryption and hashing algorithms � Check the randomness of the session � Make sure third party libraries are secured � Set strong password policy Source: https://www.pinterest.com/pin/67554063138904545 TATAR BALAZS JANOS @tatarbj
- 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host � Use HTTPS for domain entries � Do not allow for directory listing � Use TLS not SSL � Hide web server information Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow TATAR BALAZS JANOS @tatarbj
- 22. WEB SECURITY PRACTICES Protection of your users � Encode request/response � Do not store sensitive data inside cookies � Set secure and HttpOnly flags in cookies � Do not store sensitive information in a form’s hidden fields � Set secure response headers Source: https://www.pexels.com/photo/bee-hiding-1244184/ TATAR BALAZS JANOS @tatarbj
- 23. The Chrysalis First releases of the application TATAR BALAZS JANOS @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
- 24. VULNERABILITY ASSESSMENT Forest of the false positive issues � Environmental conditions � Scanning of the application / infrastructure � Iterative approach to improve findings � Asset management Source: https://99px.ru/avatari_vkontakte/10916/ TATAR BALAZS JANOS @tatarbj
- 25. SECURITY ASSESSMENT VA + manual verification � Looking to gain a broad coverage of the systems under test � No exploitation of vulnerabilities � Verification by authorized access � Examining logs, system responses, � error messages, code, etc… Source: https://masterok.livejournal.com/4202997.html TATAR BALAZS JANOS @tatarbj
- 26. Penetration tests simulate attacks by malicious parties. TATAR BALAZS JANOS @tatarbj �
- 27. SECURITY AUDIT VA + SA + Pentest � Driven by a risk function to look at specific compliance issues � Combination of different approaches � Characterized by a narrow scope Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/ TATAR BALAZS JANOS @tatarbj
- 28. SECURITY REVIEW And something else then before � Verification that industry or internal security standards have been applied � Gap analysis, review of design documents and architecture diagrams � Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
- 29. The Butterfly Maintenance releases and activities TATAR BALAZS JANOS @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
- 30. The three pillars Information security TATAR BALAZS JANOS @tatarbj �
- 31. Confidentiality: only allow access to data for which the user is permitted TATAR BALAZS JANOS @tatarbj �
- 32. Integrity: ensure data is not tampered or altered by unauthorized users TATAR BALAZS JANOS @tatarbj �
- 33. Availability: ensure systems and data are available to authorized users when they need it TATAR BALAZS JANOS @tatarbj �
- 34. VULNERABILITY MANAGEMENT Iterative identification � Evolutive and corrective maintenance � Detection � Reporting � Remediation � Necessary mitigation vs. what-if cases Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120 TATAR BALAZS JANOS @tatarbj
- 35. TRUSTED SOURCES Monitor regularly � Vendors, third party providers � National Vulnerability Database (NVD) � Common Vulnerabilities and Exposures (CVE) � ... and the Drupal Security Team! Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/ TATAR BALAZS JANOS @tatarbj
- 36. Drupal Vulnerability Management The tale behind the codes TATAR BALAZS JANOS @tatarbj ��
- 37. WHO AND HOW? Difficulties and authentication � Access complexity � None (AC:N) � Basic (AC:B) � Complex (AC:C) Source: https://mymodernmet.com/adam-gor-butterfly-photography/ TATAR BALAZS JANOS @tatarbj � Authentication � None (A:N) � User (A:U) � Admin (A:A)
- 38. THE PILLARS OF INFORMATION SECURITY The measurable elements � Confidentiality impact � All (CI:A) � Some (CI:S) � None (CI:N) Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper TATAR BALAZS JANOS @tatarbj � Integrity impact � All (II:A) � Some (II:S) � None (II:N)
- 39. Availability impact is out of the scope of Drupal VM. TATAR BALAZS JANOS @tatarbj �
- 40. CONDITIONS OF THE SURFACE How does the application have to behave? � Exploit (zero-day impact) � Exploit (E:E) � Proof (E:P) � Theoretical (E:T) Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg TATAR BALAZS JANOS @tatarbj � Target distribution � All (TD:A) � Default (TD:D) � Uncommon (TD:U)
- 41. SecOSdays 25-26 October 2019 – Sofia, Bulgaria https://secosday.eu TATAR BALAZS JANOS @tatarbj Call For Sessions and Sponsors are open! In 100 days!!!
- 43. Thank you! TATAR BALAZS JANOS @tatarbj
Editor's Notes
- #27: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
- #40: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
- #44: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.