SlideShare a Scribd company logo

A bug's life - Drupal Application Security and Vulnerability Management

Download as PPTX, PDF
Balázs Tatár
Balázs Tatár

The document discusses security awareness and vulnerability management. It describes the need for security policies and education programs within organizations. It also outlines various security assessment methods like vulnerability assessments, security audits, and penetration testing. Throughout, it uses metaphors relating to bugs and butterflies to illustrate different stages of the software development and security process.

Technology
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
The three pillars Information security Tatar Balazs Janos @tatarbj
Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
Questions? Tatar Balazs Janos @tatarbj
Thank you! Tatar Balazs Janos @tatarbj

More Related Content

What's hot (20)

PDF
OWASP Mobile Top 10
NowSecure
 
PDF
Seminar enkripsi unsyiah 15 nov 2013
IGN MANTRA
 
PPTX
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
How To [relatively] Secure your Web Applications
Ammar WK
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PDF
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
PPTX
2 . web app s canners
Rashid Khatmey
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PPTX
Bug Bounty
Hariprasad KA
 
PPTX
4 . future uni presentation
Rashid Khatmey
 
PDF
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
PDF
Waratek overview 2016
Waratek Ltd
 
PDF
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PDF
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
PPTX
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
PDF
Bug Bounty Secrets
n|u - The Open Security Community
 
PDF
Deception in Cyber Security (League of Women in Cyber Security)
Phillip Maddux
 
PDF
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 
OWASP Mobile Top 10
NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
IGN MANTRA
 
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
Owasp top 10 security threats
Vishal Kumar
 
How To [relatively] Secure your Web Applications
Ammar WK
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
2 . web app s canners
Rashid Khatmey
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Bug Bounty
Hariprasad KA
 
4 . future uni presentation
Rashid Khatmey
 
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Waratek overview 2016
Waratek Ltd
 
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Bug bounty
n|u - The Open Security Community
 
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Bug Bounty Secrets
n|u - The Open Security Community
 
Deception in Cyber Security (League of Women in Cyber Security)
Phillip Maddux
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 

Similar to A bug's life - Drupal Application Security and Vulnerability Management (20)

PDF
Entomology 101
snyff
 
PDF
The Most Important Thing: How Mozilla Does Security and What You Can Steal
mozilla.presentations
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
PDF
Yet another talk on bug bounty
vinoth kumar
 
DOCX
Residency ResearchISOL 536 Security Architecture and Design.docx
brittneyj3
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPT
Developing Software with Security in Mind
sblom
 
PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
DebasisMohanty43
 
PPTX
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
PDF
Security vulnerabilities for grown ups - GOTOcon 2012
Vitaly Osipov
 
PDF
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
php blunders
decatv
 
PDF
SELJE - VFP and IT Security.pdf
Eric Selje
 
PDF
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
PPT
Security Testing
ISsoft
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Owasp LA
leifdreizler
 
PDF
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Entomology 101
snyff
 
The Most Important Thing: How Mozilla Does Security and What You Can Steal
mozilla.presentations
 
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
Yet another talk on bug bounty
vinoth kumar
 
Residency ResearchISOL 536 Security Architecture and Design.docx
brittneyj3
 
ProdSec: A Technical Approach
Jeremy Brown
 
Developing Software with Security in Mind
sblom
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Software Security Engineering (Learnings from the past to fix the future) - B...
DebasisMohanty43
 
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Security vulnerabilities for grown ups - GOTOcon 2012
Vitaly Osipov
 
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
php blunders
decatv
 
SELJE - VFP and IT Security.pdf
Eric Selje
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
Security Testing
ISsoft
 
Software Security in the Real World
Mark Curphey
 
Owasp LA
leifdreizler
 
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Ad

More from Balázs Tatár (20)

PPTX
How To Have Fun in Open Source - CMS Garden Unconference 2019
Balázs Tatár
 
PPTX
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Balázs Tatár
 
PPTX
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - Drupal Camp Poland 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - DrupalCamp Spain 2019
Balázs Tatár
 
PPT
DrupalCon Seattle 2019 - Mentoring Booth slides
Balázs Tatár
 
PPTX
Let's write secure Drupal code! Drupal MountainCamp 2019
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
PPTX
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Balázs Tatár
 
PPTX
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Balázs Tatár
 
PDF
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Balázs Tatár
 
PPTX
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Balázs Tatár
 
PPTX
Let's write secure Drupal code!
Balázs Tatár
 
PPTX
Let's write secure drupal code!
Balázs Tatár
 
PDF
Quality assurance in practice
Balázs Tatár
 
PPTX
Quality assurance in practice - coffee meeting, January, DIGIT
Balázs Tatár
 
How To Have Fun in Open Source - CMS Garden Unconference 2019
Balázs Tatár
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Balázs Tatár
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Balázs Tatár
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Balázs Tatár
 
DrupalCon Seattle 2019 - Mentoring Booth slides
Balázs Tatár
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Balázs Tatár
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Balázs Tatár
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Balázs Tatár
 
Let's write secure Drupal code!
Balázs Tatár
 
Let's write secure drupal code!
Balázs Tatár
 
Quality assurance in practice
Balázs Tatár
 
Quality assurance in practice - coffee meeting, January, DIGIT
Balázs Tatár
 
Ad

Recently uploaded (20)

PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 

A bug's life - Drupal Application Security and Vulnerability Management

  • 1. A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
  • 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
  • 3. A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
  • 4. SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
  • 5. ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
  • 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
  • 7. Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
  • 8. The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
  • 9. The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
  • 10. PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
  • 11. THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
  • 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
  • 13. If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
  • 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
  • 15. SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 16. SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
  • 17. The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
  • 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
  • 19. THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
  • 20. APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
  • 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
  • 22. WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
  • 23. The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
  • 24. VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
  • 25. SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
  • 26. Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
  • 27. SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
  • 28. SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 29. The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
  • 30. The three pillars Information security Tatar Balazs Janos @tatarbj
  • 31. Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
  • 32. Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
  • 33. Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
  • 34. VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
  • 35. TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
  • 36. Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
  • 37. WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
  • 38. THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
  • 39. Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
  • 40. CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
  • 41. SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
  • 43. Thank you! Tatar Balazs Janos @tatarbj

Editor's Notes

  • #27: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  • #40: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  • #44: Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.