Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A CMO’s guide to open source security

A CMO’s guide to open source security

There’s undeniable value in the promise of innovation and efficiency that open source software brings to your marketing tech stack.
Yet, as open source software continues to become widely adopted, adhering to security standards is becoming more challenging. The costly threat of a website hack and/or exposing private customer data to the world is enough to keep anyone up at night. So what's a CMO to do?
This session will answer that by covering the following topics:

* Strategy foundation: culture and automation
* Create security policies with clear expectations
* Update security releases promptly
* Other considerations, including security audits, regulation and compliance, API management, and hosting and security posture

Presented at DrupalCon 2021


Mark Shropshire

April 19, 2021


  1. A CMO’s guide to open source security April 12, 2021

  2. The Open Source Expansion Partner

  3. Our vision is to empower every person on the planet

    with the innovative freedom and community impact that open-source technology offers. Our Vision
  4. Krista Trovato Director of Development /in/kristatrovato • From Pittsburgh, PA

    reside in Middletown, MD • 20+ years of experience as a technical team leader • Fosters a culture of quality among technical teams • Passionate about building repeatable processes • I worked on Photoshop 4 Skills • Drupal • Internet Security • Team Building • Quality Assurance • Automation • DevOps
  5. Mark Shropshire Senior Director of Development /in/markshropshire @shrop • From

    Concord, North Carolina • 20+ years of experience as a technical team leader • Loves empowering teams to excel while using best of class open source technology solutions. • Passionate about personal and team growth through mentorship, aligning individual purpose with Mediacurrent’s vision • Plays sax, drums, keys, and bass and has a list of other instruments that he would love to learn! Skills • Drupal • Security • DevOps • Flutter • Acquia Site Factory • Leadership
  6. 1. Strategy Foundation: Culture and Automation 2. Create Security Policies

    with Clear Expectations 3. Update Security Releases Promptly 4. Other Considerations 5. Q&A Today’s Agenda
  7. Reference

  8. Reference

  9. Strategy Foundation: Culture and Automation

  10. Security-First means going beyond compliance to assess risk. It’s both

    a cultural mindset and a continuous development approach that’s rooted in process automation.
  11. Security-First Planning • Proactive and collaborative approach with stakeholders •

    Layered defense • Architecture reviews • Code reviews • Automated testing • Continuous improvements • Security audits (one-offs and ongoing) • Documentation
  12. Create a Security Team This group should be charged with

    updating policies, making recommendations, assessing security releases for mitigations, and helping automate security processes.
  13. | 13 Process Automation Continuous Integration Examples • drush pm:security

    • Security Review • OWASP Zap Baseline Scan Mediacurrent Bitbucket Pipelines
  14. Create Security Policies with Clear Expectations

  15. If your organization doesn’t have a formal security policy in

    place, chances are security hasn’t been high on your priority list. Creating a policy will elevate its priority among your team.
  16. | 16 Security Policy Checklist Code linting Virus and malware

    scanning Code library version checks Passive and active scanning Application and infrastructure security updates Incident response plan
  17. | 17 Top 10 Web Application Security Risks Injection Broken

    Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting XSS Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring https:/ /owasp.org/www-project-top-ten
  18. | 18 • Security Review - Security Misconfiguration • Input

    Filters* - Cross-Site Scripting XSS • Automated Logout - Broken Access Control, Broken Authentication • Captcha & HoneyPot - Cross-Site Scripting XSS & Spam These modules protect from the OWASP vulnerabilities: • Security Kit - Security Misconfiguration • Session Limit - Broken Access Control, Broken Authentication • Username Enumeration Prevention - Sensitive Data Exposure Must Have Drupal Security Modules *Included in Drupal Core
  19. | 19 These modules will help you pass a corporate

    audit and promote best practices: • Coder • Generate Password • Logging and Alerts • Secure Login • Password Policy • Flood Control • Hacked • Login Security • HTML Purifier • Content Security Policy Additional Security Modules
  20. Guardr is a Drupal distribution with a combination of modules

    and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Guardr incorporates industry best practices from security standards, regulatory controls, and security certifications. https:/ /drupal.org/project/guardr Drupal Slack: #contrib-guardr
  21. Update Security Releases Promptly

  22. Drupal Security Team • Resolves reported security issues in Security

    Advisories • Provides assistance for contributed module maintainers in resolving security issues • Provides documentation on how to write secure code • Provides documentation on securing your site • Help the infrastructure team to keep the drupal.org secure • https:/ /www.drupal.org/security-team
  23. Keep open source projects up to date with the latest

    non-security releases to prevent regressions when security updates are released.
  24. | 24 Monitor Drupal Security Advisories • Drupal core •

    Drupal contrib projects • Public service announcements • Notifications via email and RSS • Follow @drupalsecurity on Twitter • Drupal Slack #security-questions • Read SA documentation https:/ /www.drupal.org/security
  25. Other Considerations

  26. Module Selection • Module Usage • Issue Queue Activity •

    Security • Manual Review and Testing • Release Status • Commit Activity • Project information • Risk Assessment • Benefit A Guide to Drupal Module Evaluation
  27. Use Drupal APIs Use Drupal APIs to secure your contrib

    and custom code. https:/ /api.drupal.org/api/drupal Writing secure code for Drupal
  28. | 28 A few more items... Hosting and Security Posture

    Regulation and Compliance API Management Consider a Security Audit
  29. | 29 Secure your open source-based martech stack with this

    resource for best practices. Includes a free security incident response form template http:/ /bit.ly/open-source-security Download Now CMO’s Guide to Open Source Security
  30. Reach out with any questions! Stop by the Mediacurrent DrupalCon

    booth to continue the conversation. mediacurrent.com/contact-us mediacurrent.com/security Q&A
  31. @Mediacurrent Mediacurrent @Mediacurrent MediacurrentDrupal Mediacurrent.com @Mediacurrent Thank You!