Understanding and Implementing Website Security
1 like259 views
The document discusses various aspects of website security, emphasizing the importance of understanding the security landscape and adopting a layered approach. It covers secure configuration, coding practices, and the use of security-enhancing modules for Drupal, as well as the significance of secure networking and support procedures. The key takeaway is to used reliable hosting, maintain secure coding habits, and adhere to best practices for overall website security.
Understanding and Implementing Website Security
- 1. W E B S I T E S E C U R I T Y U N D E R S TA N D I N G A N D I M P L E M E N T I N G https://flic.kr/p/8rvdmp
- 2. D R E W G O R T O N • Director of Agency and Community Outreach, Pantheon • Founder, Gorton Studios (2001) • Co-founder, NodeSquirrel (2012) • Drupal 4.4 (~2004) • Drupal Twin Cities • @dgorton
- 3. I S A D A N G E R O U S T H I N G W E B C O N T E N T M A N A G E M E N T
- 4. C O M M O N P L A C E D A TA B R E A C H E S A R E
- 5. S U R E LY N O T M E ? ! I ’ M S O T I N Y !
- 6. I S N O T B I N A RY W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
- 7. L E S S O N F R O M T H E R E A L W O R L D Safe Ratings • Time (5 minutes, 30 minutes, …) • Tools (hammer, drill, power saw, …) • People (skill, number, …) https://flic.kr/p/3yigw
- 8. I S A C O N T I N U U M W E B S I T E S E C U R I T Y https://flic.kr/p/h4TA84
- 9. Perfect Security is a Myth https://flic.kr/p/4p9Vi
- 10. W I L L A LWAY S H AV E G A P S W E B S I T E S E C U R I T Y https://flic.kr/p/5d4nKx
- 11. T O D AY ’ S G O A L S • Understand Landscape • Have Fewer, Smaller Gaps • Better Preparedness • Examining Website Security in Layers
- 12. L AY E R S • Platform: Linux, Apache, MySQL, PHP … • Application: Drupal, WordPress… • Organizational: Habits, procedures, planning… https://flic.kr/p/dp3nGo
- 13. P L AT F O R M L AY E R • Linux • Apache • MySQL • PHP • Varnish • Redis • … https://flic.kr/p/mmgwkxG U E S S : L A S T W E E K ?
- 14. Y O U D O N O T WA N T T H I S M O N K E Y * P L A T F O R M S E C U R I T Y: https://flic.kr/p/p8z6wN
- 15. D R U PA L H O S T I N G P L A T F O R M S E C U R I T Y: U S E H T T P S : / / W W W. D R U PA L . O R G / H O S T I N G
- 16. N O T A L L H O S T I N G I S E Q U A L P L A T F O R M S E C U R I T Y: B U Y E R B E WA R E
- 17. I N T H E R E A L W O R L D P L A T F O R M S E C U R I T Y: G E T S E V E N M E S S I E R
- 18. A B E T T E R WAY P L A T F O R M S E C U R I T Y: T H E R E I S
- 19. C H O O S E H O S T S W I S E LY How did you handle Heartbleed? How did you handle DrupalGeddon?
- 20. D R U PA L A P P L I C A T I O N L A Y E R https://flic.kr/p/9Vx4ra
- 21. D R U PA L I S F L E X I B L E • (Mis) Configuration • You can configure Drupal so that Anonymous Users can ____ • Upload images • Change files • Edit the homepage • Turn on modules • Change themes https://flic.kr/p/nze5Em
- 22. S E C U R E C O N F I G U R AT I O N • Secure User 1 • No simple passwords • Don’t share passwords across sites • Doesn’t have to be ‘admin’ • Permissions & Roles • Administer * is powerful • Administer filters can pwn site • No PHP (!!!) • Update module • Wednesdays are security releases • Turn it on. Get the notifications. Do them https://flic.kr/p/5pGcyx
- 23. D R U PA L M O D U L E S • Paranoia • Security Review • Permissions Lock • Secure Login • Hacked! • Password policy / Password strength • Two Factor Authentication
- 24. S E C U R I T Y T E A M • Drupal 7 & 8 Core + Contrib • Wednesdays are releases • Process & Procedure • Drupal 6 coverage available https://flic.kr/p/qFLhg
- 25. S E C U R E C O D I N G • https://www.drupal.org/ writing-secure-code • Doing Drupal Security Right - OWASP 10 and Drupal • Injection • XSS • CRSF https://flic.kr/p/3dvqhG
- 26. S Q L I N J E C T I O N S E C U R E C O D I N G http://xkcd.com/327/ db_query() https://www.drupal.org/node/101496
- 27. C R O S S S I T E S C R I P T I N G ( X S S ) • JavaScript to run browser actions in this website • Up to 64% of websites vulnerable • Use Filters! check_url(), check_plain(), filter_xss(), filter_xss_admin(), check_markup() • t() function • https://www.drupal.org/node/ 28984 https://flic.kr/p/5ALBHy
- 28. C R O S S - S I T E R E Q U E S T F O R G E RY ( C S R F O R X S R F ) • Actions on another site • <a href="http://bank.com/ transfer.do? acct=MARIA&amount=10000 ">View my Pictures!</a> • Forms API , drupal_get_token(), drupal_valid_token() • https://www.drupal.org/ node/178896 https://flic.kr/p/bSkp8r
- 29. P R O C E S S E S O R G A N I Z A T I O N L A Y E R https://flic.kr/p/5kaEda
- 30. S E C U R E N E T W O R K I N G • HTTPS / SSL • LetsEncrypt.org • CloudFlare • Others • SFTP (No FTP!) • Wireless Caution https://flic.kr/p/6v1J1m
- 31. S E C U R E C O D E M A N A G E M E N T • Use Version Control Software (VCS) like Git • Sanitize Data on transfer - drushcommands.com/ drush-8x/sql/sql-sanitize • Secure your Keys - https:// lockr.io https://flic.kr/p/9BkXKV
- 32. S E C U R E S U P P O R T • Catalog your sites • Wednesdays - be ready • Who is responsible? • Who helps them? • How do they escalate? • Emergency Procedures • Run the drill! https://flic.kr/p/rEwbwL
- 33. I N S U M M A RY • Use a secure (reliable, performant) Drupal host. • Configure Drupal carefully • Use Security-enhancing Drupal modules • Follow Drupal coding best practices • Use secure communications (HTTPS, SFTP, …) • Have secure code management habits • Have clear support practices and procedures
- 34. Q U E S T I O N S ? W E B S I T E S E C U R I T Y https://flic.kr/p/pqiJNt
- 35. H T T P S : / / J O I N D . I N / 1 7 2 7 5