A CMO’s guide to open source security

Transcript

1. A CMO’s guide to open source security April 12, 2021

2. The Open Source Expansion Partner

3. Our vision is to empower every person on the planet

   with the innovative freedom and community impact that open-source technology offers. Our Vision

4. Krista Trovato Director of Development /in/kristatrovato • From Pittsburgh, PA

   reside in Middletown, MD • 20+ years of experience as a technical team leader • Fosters a culture of quality among technical teams • Passionate about building repeatable processes • I worked on Photoshop 4 Skills • Drupal • Internet Security • Team Building • Quality Assurance • Automation • DevOps

5. Mark Shropshire Senior Director of Development /in/markshropshire @shrop • From

   Concord, North Carolina • 20+ years of experience as a technical team leader • Loves empowering teams to excel while using best of class open source technology solutions. • Passionate about personal and team growth through mentorship, aligning individual purpose with Mediacurrent’s vision • Plays sax, drums, keys, and bass and has a list of other instruments that he would love to learn! Skills • Drupal • Security • DevOps • Flutter • Acquia Site Factory • Leadership

6. 1. Strategy Foundation: Culture and Automation 2. Create Security Policies

   with Clear Expectations 3. Update Security Releases Promptly 4. Other Considerations 5. Q&A Today’s Agenda

7. Reference

8. Reference

9. Strategy Foundation: Culture and Automation

10. Security-First means going beyond compliance to assess risk. It’s both

    a cultural mindset and a continuous development approach that’s rooted in process automation.

11. Security-First Planning • Proactive and collaborative approach with stakeholders •

    Layered defense • Architecture reviews • Code reviews • Automated testing • Continuous improvements • Security audits (one-offs and ongoing) • Documentation

12. Create a Security Team This group should be charged with

    updating policies, making recommendations, assessing security releases for mitigations, and helping automate security processes.

13. | 13 Process Automation Continuous Integration Examples • drush pm:security

    • Security Review • OWASP Zap Baseline Scan Mediacurrent Bitbucket Pipelines

14. Create Security Policies with Clear Expectations

15. If your organization doesn’t have a formal security policy in

    place, chances are security hasn’t been high on your priority list. Creating a policy will elevate its priority among your team.

16. | 16 Security Policy Checklist Code linting Virus and malware

    scanning Code library version checks Passive and active scanning Application and infrastructure security updates Incident response plan

17. | 17 Top 10 Web Application Security Risks Injection Broken

    Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting XSS Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring https:/ /owasp.org/www-project-top-ten

18. | 18 • Security Review - Security Misconfiguration • Input

    Filters* - Cross-Site Scripting XSS • Automated Logout - Broken Access Control, Broken Authentication • Captcha & HoneyPot - Cross-Site Scripting XSS & Spam These modules protect from the OWASP vulnerabilities: • Security Kit - Security Misconfiguration • Session Limit - Broken Access Control, Broken Authentication • Username Enumeration Prevention - Sensitive Data Exposure Must Have Drupal Security Modules *Included in Drupal Core

19. | 19 These modules will help you pass a corporate

    audit and promote best practices: • Coder • Generate Password • Logging and Alerts • Secure Login • Password Policy • Flood Control • Hacked • Login Security • HTML Purifier • Content Security Policy Additional Security Modules

20. Guardr is a Drupal distribution with a combination of modules

    and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Guardr incorporates industry best practices from security standards, regulatory controls, and security certifications. https:/ /drupal.org/project/guardr Drupal Slack: #contrib-guardr

21. Update Security Releases Promptly

22. Drupal Security Team • Resolves reported security issues in Security

    Advisories • Provides assistance for contributed module maintainers in resolving security issues • Provides documentation on how to write secure code • Provides documentation on securing your site • Help the infrastructure team to keep the drupal.org secure • https:/ /www.drupal.org/security-team

23. Keep open source projects up to date with the latest

    non-security releases to prevent regressions when security updates are released.

24. | 24 Monitor Drupal Security Advisories • Drupal core •

    Drupal contrib projects • Public service announcements • Notifications via email and RSS • Follow @drupalsecurity on Twitter • Drupal Slack #security-questions • Read SA documentation https:/ /www.drupal.org/security

25. Other Considerations

26. Module Selection • Module Usage • Issue Queue Activity •

    Security • Manual Review and Testing • Release Status • Commit Activity • Project information • Risk Assessment • Benefit A Guide to Drupal Module Evaluation

27. Use Drupal APIs Use Drupal APIs to secure your contrib

    and custom code. https:/ /api.drupal.org/api/drupal Writing secure code for Drupal

28. | 28 A few more items... Hosting and Security Posture

    Regulation and Compliance API Management Consider a Security Audit

29. | 29 Secure your open source-based martech stack with this

    resource for best practices. Includes a free security incident response form template http:/ /bit.ly/open-source-security Download Now CMO’s Guide to Open Source Security

30. Reach out with any questions! Stop by the Mediacurrent DrupalCon

    booth to continue the conversation. mediacurrent.com/contact-us mediacurrent.com/security Q&A

31. @Mediacurrent Mediacurrent @Mediacurrent MediacurrentDrupal Mediacurrent.com @Mediacurrent Thank You!