![Page 1: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/1.jpg)
DevSecOps:Drupal Security
Drupal Camp Asheville, 2017
Will Chatham
![Page 2: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/2.jpg)
$> whoamiI Am Will Chatham
Security Analyst for ERT at NOAA’s NCEIEthical Hacker Type
Twitter - @willcDrupal - geekamongus
Web - willchatham.comEmail - [email protected]
![Page 3: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/3.jpg)
OutlinePerspectives
DevSecOps - Idealism vs. Reality
DevSecOps and Drupal
Awareness
Configuration
Community
Other Stuff
![Page 4: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/4.jpg)
Full Disclosure: I am not a Drupal developer
I work with Drupal developers and system admins tofacilitate DevSecOps as much as possible
My background is in security, web development and system administration
From My Perspective
![Page 5: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/5.jpg)
From The Federal Perspective
Slow to adopt new technology
Resistant to cloud-based services (Saas)
Bound by a robust Risk Management Framework
We are embracing Open Source more and more
![Page 6: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/6.jpg)
Starting With The Bird’s Eye View
https://youtu.be/AMq-8Ahttps://youtu.be/AMq-8At1yYAt1yYA
![Page 7: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/7.jpg)
Buzzword + Buzzword...DevOps
● An agile relationship between Development and IT Operations
● Merge people, processes, and tools
● Provide better service and products by integrating these two business units
SecOps
● An agile relationship between IT Operations and IT Security
● Shared accountability, processes, and tools
● Maintain a commitment to uptime and service without sacrificing security
![Page 8: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/8.jpg)
= a Longer Buzzword: DevSecOps● Achieve greater efficiency and productivity through
team collaboration with security baked in● Shift security to be incorporated early and often
rather than at the end● Everyone is responsible for security● Emphasis on the Proactive
![Page 9: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/9.jpg)
An Ideal DevSecOps WorldThe DevSecOps ManifestoLeaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklistshttp://www.devsecops.org/
![Page 10: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/10.jpg)
Do you have a personal Red Teamand a 24x7 Monitoring System?
The DevSecOps Reality
![Page 11: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/11.jpg)
Let’s apply what we can where we can...
● Integrate security early and often - not at the end
● Security is Everyone’s Responsibility - developers, sysads, content authors, SEOs, designers, etc
To reduce the risk where we can...
● Security is Holistic: from expensive firewalls all the way over to knowing how to spot a dangerous link in an email.
● Reduce your Risk Profile
The DevSecOps Reality
![Page 12: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/12.jpg)
How does this apply to Drupal?
![Page 13: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/13.jpg)
Know how to configure a secure Drupal website, and make sure it stays that way.
ConfigurationGet to know the risks, the threats, and the ways to mitigate them.
Understand what makes Drupal a target, and what can be done to be a smaller target.
Teach your users and clients all of the above.
AwarenessRely on the mature open source Drupal community to assist you in mitigating risk.
Reduce your risk profile by taking advantage of the Drupal community’s expertise, processes, and lessons learned.
Community
Three Ways
![Page 14: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/14.jpg)
Awareness: What Threats?
![Page 15: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/15.jpg)
Awareness: The OWASP Top 10
XSS - Cross-Site Scripting
Injection - SQL, XXE, OS, etc
Broken Authentication & Session Management
Application Security Risks - 2017
CSRF - Cross-Site Request Forgery
Sensitive Data Exposure
Insufficient Attack Protection
Broken Access Control
Security Misconfiguration
Using Components With Known Vulnerabilities
Underprotected API’s
https://www.owasp.org/index.php/Top_10_2017-Top_10
![Page 16: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/16.jpg)
XSS - Cross-Site Scripting
Injection
Broken Authentication & Session Management
Application Security Risks - 2017
CSRF - Cross-Site Request Forgery
Sensitive Data Exposure
Insufficient Attack Protection
Broken Access Control
Security Misconfiguration
Using Components With Known Vulnerabilities
Underprotected API’s
OK, great. But what can I do about all this today?
Awareness: The OWASP Top 10
![Page 17: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/17.jpg)
Configuration Pitfalls:Avoiding Crocodiles and Scorpions
![Page 18: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/18.jpg)
Drupal Security ConfigurationUse the Least Privilege ConceptProvide the minimum amount of access necessary to do the job.
General Best Practices
Put captchas on forms.
Use SSL by default
Remove modules and themes you don’t need
Update!
Subscribe to Drupal Security Advisories
![Page 19: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/19.jpg)
Security ModulesParanoia - scans for and blocks PHP in web interface https://www.drupal.org/project/paranoia
Login Security - limit login attempts, deny by IPhttps://www.drupal.org/project/login_security
Password Policy - enforce strong passwordshttps://www.drupal.org/project/password_policy
Rename Admin Paths - thwart automated brute force scriptshttps://www.drupal.org/project/rename_admin_paths
Security Review - https://www.drupal.org/project/security_review
Drupal Security Configuration
![Page 20: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/20.jpg)
Drupal Security ConfigurationThe Security Review Module - (https://www.drupal.org/project/security_review)
Safe file system permissions (protecting against arbitrary code execution)Text formats don't allow dangerous tags (protecting against XSS)PHP or Javascript in content (nodes and comments and fields in Drupal 7)Safe error reporting (avoiding information disclosure)Secure private filesOnly safe upload extensionsLarge amount of database errors (could be sign of SQLi attempts)Large amount of failed logins (could be sign of brute-force attempts)Responsible Drupal admin permissions (protecting against access misconfiguration)Username as password (protecting against brute-force)Password included in user emails (avoiding information disclosure)PHP execution (protecting against arbitrary code execution)Base URL set / D8 Trusted hosts (protecting against some phishing attempts)Views access controlled (protecting against information disclosure)
![Page 21: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/21.jpg)
Use the Drupal community’s mature advice and expertise.
Security ThroughCommunity
![Page 22: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/22.jpg)
Community: Drupal Core SecurityTraditionally very secure
Quick to respond
Very communicative
Responsible Disclosure helps prevent 0-days
![Page 23: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/23.jpg)
Community: Contrib ModulesWhat to look out for when choosing modules to use
No activity in X days/weeks/months/years
Look at the open bugs for red flags
Number of user installations
Development status: stable, dev, alpha, beta, etc.
Is it covered by the Security Advisory Policy?
![Page 24: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/24.jpg)
Community: Contrib Modules and SA’sWhen modules are covered by the Drupal Security Advisory policy:● They come with a responsible disclosure process● They get the benefit of the Security Team’s help to mitigate problems● The risk of unpatched, publicly known vulnerabilities is greatly reduced
Keep in mind:● Only “stable” modules that have applied for security coverage are covered by
SA policy● Contrib modules are the biggest threat to a Drupal site● The Security Team is more reactive than proactive
![Page 25: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/25.jpg)
Community: Security Advisory PolicyOnly stable modules get covered by Security Advisories
(but not all stable modules are covered)
![Page 26: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/26.jpg)
Community: Security Advisory Policy
Alpha, beta, dev, and RC status modules do not get covered by Security Advisories
![Page 27: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/27.jpg)
A few other things of noteBundled Libraries are dangerous -- especially in modules with low activity! (OWASP #9)
Did you know these are officially End of Life?--jQuery 1.x and 2.x--Bootstrap 3.x
Did you know they have known vulnerabilities and will not be receiving back-ported security patches?
![Page 28: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/28.jpg)
Secure Coding Best Practices (a whole other presentation)
Check your Web Host:● Who are you sharing space with?● Backups - are they being done? Can you restore from them?● Updates - Server, database, services, apps, etc.● Maintenance
○ Are you keeping Drupal up to date (core and modules)?○ Are you keeping up on Bugs for non-stable modules?○ Do you subscribe to Drupal Security Advisories?
Recommended Homework
![Page 29: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/29.jpg)
Drupal.org - http://drupal.org/security-team
http://drupal.org/writing-secure-code
http://drupal.org/security/secure-configuration
http://www.devsecops.org/
Drupal Contrib Modules Security Advisories:https://www.drupal.org/security/contrib
Drupal Core Security Advisories:https://www.drupal.org/security/https://www.drupal.org/drupal-security-team/security-advisory-process-and-permissions-policy
Resources
![Page 30: Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best](https://reader034.vdocuments.net/reader034/viewer/2022050109/5f46dced6727f047b944056b/html5/thumbnails/30.jpg)
Thanks!You can find me at:
Look for these slides at:https://www.willchatham.com
Any questions?