Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Drupal Security by Ben Jeavons

Drupal Security by Ben Jeavons

Drupal is an open-source web application that powers over 2% of the web and like any other application is at risk for attack. This talk will cover a range of topics about Drupal and security, including the state of Drupal and security, the process and goals of Drupal’s Security Team, and API’s and best-practice configuration for maintaining a secure site.

Ben Jeavons is a software engineer at Acquia, a company providing products, services, and technical support for Drupal. Ben is a member of Drupal Security Team and co-author of the Drupal Security Whitepaper.

Complete webcast: https://www.youtube.com/watch?v=dC-TjZkMTk8

https://www.owasp.org/index.php/Montreal

OWASP Montréal

March 25, 2013
Tweet

More Decks by OWASP Montréal

Other Decks in Programming

Transcript

  1. Drupal is secure Modern PHP application Powers 2% of the

    web Strong APIs & peer-reviewed Dedicated security team Monday, March 25, 13
  2. Drupal is secure Most vulnerabilities in custom code & config

    Use Drupal APIs and practices Peer-review code and config ^ core Monday, March 25, 13
  3. Ben Jeavons Working with Drupal for 6 years @benswords Member

    of Drupal Security Team Monday, March 25, 13
  4. Core security features Passwords salted and hashed to PHPass Access

    control and permission system Form API protects CSRF & semantic forgery Monday, March 25, 13
  5. Core security features Flood control DB abstraction mitigates SQL injection

    Sanitization & filter functions Brute-force login prevention Monday, March 25, 13
  6. Ecosystem security Open-source & heavily peer-reviewed Notification system for updates

    Controlled repos access Enhanced security through contrib modules Monday, March 25, 13
  7. Drupal vulnerabilities by popularity XSS CSRF Access bypass SQLi Arbitrary

    code execution Information disclosure Other 47% 11% 19% 5% 4% 3% 9% reported in core and contrib SAs from June 1 2005 through March 20 2013 Monday, March 25, 13
  8. XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection

    Others 0 100 200 300 400 Number of vulnerabilities by type Drupal Core Drupal Contrib Projects Vulnerabilities by type for core and contrib reported in SAs June 1 2005 through March 20 2013 Monday, March 25, 13
  9. Drupal in the wild Most vulnerabilities exist In custom code

    (modules or themes) Insecure configuration or practices Running known vulnerable core/contrib Custom code is not well reviewed or tested Monday, March 25, 13
  10. Text formats Formats run when displaying input Filtered HTML for

    untrusted roles Full HTML for completely trusted roles Monday, March 25, 13
  11. function my_callback() { $node = node_load(33); return theme(‘my_page’, $node); }

    function theme_my_page($node) { return ‘<div>’ . $node->title . ’</div>’; } Monday, March 25, 13
  12. function my_callback() { $node = node_load(33); return theme(‘my_page’, $node); }

    function theme_my_page($node) { return ‘<div>’ . check_plain($node->title) . ’</ div>’; } Monday, March 25, 13
  13. function my_page_callback($nid) { $node = node_load($nid); if (node_access(‘view’, $node)) {

    return node_view($node); } else { return MENU_ACCESS_DENIED; } } Monday, March 25, 13
  14. Drupal Security Team Volunteers (but often not their time) Security

    professionals & enthusiasts Dedicated for 8 years Publish Security Advisories for Drupal Monday, March 25, 13
  15. Issue process Vulnerability report Validation Contact maintainer to write fix

    Review Coordinate and write SA Commit fix and publish release and SA Monday, March 25, 13
  16. Issue process If maintainer doesn’t respond the project may be

    marked unsupported Team duties do not include reviewing all code Monday, March 25, 13
  17. Security Team Team duties do not include reviewing all code

    Looking for more team members ;) Monday, March 25, 13
  18. Steps to a mostly automated review Configuration analysis using Security

    Review Check for modified files with Hacked! module Static code analysis using Coder module Basic pen-testing using “Vuln” Feature More: drupalscout.com/node/11 Monday, March 25, 13