Building Secure and Available Drupal Applications with Guardr

Transcript

1. Guardr Building Secure and Available Drupal Applications

2. Intros 2 Mark Shropshire (shrop) @shrop Mark brings 20 years

   of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. Mark is the maintainer of the Gaurdr Drupal security module suite. Over his 20 year career leading technical teams, Mark gained experience in IT roles at a large urban research university and nationally recognized, award winning graphic communications company. Open Source Security Lead /in/markshropshire

3. About 3 Mediacurrent helps organizations build highly impactful, elegantly designed

   Drupal websites that achieve the strategic results they need. • Single-source provider • Specializing in Drupal since 2007 • Headquartered in Atlanta, GA • Team of 60+ Drupal Experts including development, design and strategy • Clients include: Large Enterprise and high-profile global brands

4. Contents What is Guardr? Demos Get involved 4 3 2

   1 4 Why Guardr?

5. What is Guardr? 1

6. 6 What is a Drupal distribution? Distributions are full copies

   of Drupal that include Drupal Core, along with additional software such as themes, modules, libraries, and installation profiles. https://www.drupal.org/documentation/build/distributions What is Guardr?

7. 7 Drupal security distribution Guardr is a Drupal distribution with

   a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. https://drupal.org/project/guardr What is Guardr?

8. 8 Philosophy Guardr follows the CIA information security triad: confidentiality,

   integrity and availability. From Wikipedia: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. https://en.wikipedia.org/wiki/Information_security#Key_concepts What is Guardr?

9. Guardr for Drupal 8 ★ Composer based for building install

   and updates ★ Packagist support ★ Currently in development release 9 Guardr for Drupal 7 ★ Drush make based building install ★ Profiler for sub-install profiles ★ Stable release

10. 2 Why Guardr?

11. “If you spend more on coffee than on IT security,

    you will be hacked. What’s more, you deserve to be hacked. — Richard Clarke The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network. — Kevin Mitnick

12. Security is always excessive until it's not enough. — Robbie

    Sinclair, Head of Security, Country Energy, NSW Australia “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” — Gene Spafford

13. 13 Isn’t Drupal secure? Drupal continues to improve, but no

    system is 100% secure. Guardr hardens Drupal. Q A Why Guardr?

14. 14 Users, system complexity, and the balance between security and

    usability make infosec very challenging. Why Guardr?

15. 15 Guardr incorporates industry best practices from security standards, regulatory

    controls, and security certifications. Why Guardr? PCI DSS ISO/IEC 27001 CISSP FERPA HIPAA

16. 16 Why Guardr? Twig template engine (Prevents SQL injection and

    XSS) Drupal 8 Security Improved session ID and user session management CSRF token protection for the routing system Default clickjacking prevention PHP can only send one query to MySQL at a time (Prevents SQL injection) Configurable trust host patterns (Protects HTTP HOST Header attacks)

17. 3 Demos

18. Drupal 7 build and install 18 Credit: CC Image courtesy

    of jjeff on Flickr

19. Demos 19 • $ drush --no-patch-txt make build-guardr.make web •

    $ drush qd --root=web --use-existing --profile=guardr --watchdog --yes Build and install Guardr for Drupal 7

20. Drupal 8 build and install 20 Credit: CC Image courtesy

    of pdjohnson on Flickr

21. Demos 21 • $ composer install • $ cd web

    • $ drush qd --root=./ --use-existing --profile=guardr --watchdog --yes Build and install Guardr for Drupal 8

22. 4 Get involved

23. 23 A big thanks to all of the Guardr contributors

    and supporting organizations. Credit: CC Image courtesy of pdjohnson on Flickr Get involved!

24. Get involved 24 • Writing documentation • Support Guardr users

    on Drupal 7 and/or Drupal 8 • Testing patches and updates • Developing new features and updates How can I help?

25. Get involved 25 • The issue queue! https://www.drupal.org/project/issues/guardr • Join

    our Slack group: http://guardr-slack-invites.herokuapp.com • Drupal.org - Ways to get involved: https://www.drupal.org/contribute • Join the Drupal security team: https://security.drupal.org/join How can I get involved?

26. @Mediacurrent Mediacurrent.com Thank you! slideshare.net/mediacurrent https://drupal.org/project/guardr