Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sleep Better at Night with a Secure Drupal Site

Mark Shropshire
February 19, 2021
Technology
0
53

Sleep Better at Night with a Secure Drupal Site

Are you losing sleep, worrying about your Drupal site’s security? That isn’t healthy! With Drupal being used for building websites and applications in government, non-profits, higher education, and corporate enterprises, it is important to make sure that projects follow regulatory and organizational security controls. Are you ready to learn how to take immediate steps to improve the security of your Drupal installation? Great, let’s get get started.

This session will provide the details you need to create a security-first plan to enhance Drupal’s strong security foundation with community-contributed modules. Attendees will learn how to leverage these community contributions to ensure Drupal’s ability to provide confidentiality, integrity, and availability for your users.

Drupal core and contributed module security enhancements will be demonstrated live. These demonstrations will show how to address many of the concerns listed in the globally recognized OWASP Top 10 Web Application Security Risks document. In addition, attendees will learn how to keep up with official security announcements from the Drupal Security Team, understand Drupal security advisories, and find resources to learn more about Drupal security.

Security risks and improvements covered

Attack surface reduction
Broken Access Control
Cross-Site Scripting XSS
Insufficient logging & monitoring
Password policies
Security misconfiguration
Using components with known vulnerabilities

Presented by shrop at Florida Drupal Camp 2021

Mark Shropshire

February 19, 2021
Tweet

More Decks by Mark Shropshire

See All by Mark Shropshire
Looking to Test Decoupled Sites? Get Ready to Be Impressed with Cypress!
shrop
0
12
Looking to Test Decoupled Sites? Get Ready to Be Impressed with Cypress!
shrop
0
19
Looking to Test Decoupled Sites? Get Ready to Be Impressed with Cypress!
shrop
0
42
Creating a Modern, Scalable Open Source Platform with Decoupled Drupal
shrop
0
10
How Penn State News Leveraged Drupal and Gatsby for the Modern Web
shrop
0
16
How Penn State News Pivoted to Decoupled Drupal with Gatsby
shrop
0
16
Gatsby and Drupal at Scale: Higher Ed News Site
shrop
0
20
Mind Mapping: A Technique for Architecting Software
shrop
0
140
Penn State News: Pivoting to Decoupled Drupal with Gatsby
shrop
0
10

Other Decks in Technology

See All in Technology
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
62
18k
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
350
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
6
450
クラウドサインにおけるプロダクトマネージャーの役割と開発プロセス / 20240410_cloudsign-PdM
bengo4com
1
690
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
5.3k
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
650
反実仮想機械学習とは何か
usaito
PRO
7
2.5k
オブザーバビリティの Primary Signals
onk
PRO
0
550
Microsoft Cloudで 開発ライフサイクルを保護する
kkamegawa
0
150
Databricks におけるデータエンジニアリング
databricksjapan
0
380
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
480

Featured

See All Featured
Atom: Resistance is Futile
akmur
258
25k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Docker and Python
trallard
33
2.7k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
GitHub's CSS Performance
jonrohan
1023
450k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
11
4.6k
In The Pink: A Labor of Love
frogandcode
138
21k

Transcript

  1. Sleep Better at Night with a Secure Drupal Site February

    19, 2021

  2. All attendees, speakers, sponsors, and volunteers at our conference are

    required to agree with the our code of conduct. We do not tolerate harassment of conference participants in any form. Please abide by our Code of Conduct https://www.fldrupal.camp/community/code-conduct https://www.fldrupal.camp

  3. Code of Conduct Contacts email [email protected] Mike Anello 321-396-2340 https://www.fldrupal.camp

    AmyJune Hineline 831-406-1130 #florida Drupal Slack channel Or email [email protected]

  4. 1. What’s Security-First? 2. Security and The Drupal Community 3.

    OWASP Top 10 Web Vulnerabilities 4. Drupal Best Practices and Solutions 5. Q&A Today’s Agenda

  5. Mark Shropshire Senior Director of Development /in/markshropshire @shrop • From

    Concord, North Carolina • 20+ years of experience as a technical team leader • Loves empowering teams to excel while using best of class open source technology solutions. • Passionate about personal and team growth through mentorship, aligning individual purpose with Mediacurrent’s vision • Plays sax, drums, keys, and bass and has a list of other instruments that he would love to learn! Skills • Drupal • Security • DevOps • Flutter • Acquia Site Factory • Leadership

  6. Open Source Expansion Partner

  7. To bring together the most talented team members to provide

    world-class solutions for the web. Our Mission

  8. What’s Security-First?

  9. | 9 What’s Security-First? Security-first means going beyond compliance to

    assess risk. It’s both a cultural mindset and a continuous development approach that’s rooted in process automation.

  10. Security-First Planning • Proactive and collaborative approach with stakeholders •

    Layered defense • Architecture reviews • Code reviews • Automated testing • Continuous improvements • Security audits (one-offs and ongoing) • Documentation

  11. | 11 Discovery Design Development Quality Assurance Deployment Support Digital

    strategy Wireframes Technical Architecture & Functional Specs Quality Assurance Test Cases Re-estimate Scope of Work Style Tiles Mood Boards Responsive Design Templates HTML Prototypes Module Configuration Custom Module Programming Custom Theme Development Front-End Framework Implementation Execute First Test Runs User Acceptance Testing (UAT) Execute Final Test Run Prepare Production Environment Sync Latest Files and Data Finalize Cache Settings Switch DNS Analytics/ Performance Evaluation Feature Enhancements Module Updates A/B Testing Security Throughout the Website Process

  12. Security and The Drupal Community

  13. Drupal Security Team • Resolves reported security issues in Security

    Advisories • Provides assistance for contributed module maintainers in resolving security issues • Provides documentation on how to write secure code • Provides documentation on securing your site • Help the infrastructure team to keep the drupal.org secure • https:/ /www.drupal.org/security-team

  14. Guardr is a Drupal distribution with a combination of modules

    and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Guardr incorporates industry best practices from security standards, regulatory controls, and security certifications. https:/ /drupal.org/project/guardr Drupal Slack: #contrib-guardr

  15. OWASP Top 10 Web Vulnerabilities

  16. | 16 Top 10 Web Application Security Risks Injection Broken

    Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting XSS Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring https:/ /owasp.org/www-project-top-ten

  17. Drupal Best Practices and Solutions

  18. Module Selection • Module Usage • Issue Queue Activity •

    Security • Manual Review and Testing • Release Status • Commit Activity • Project information • Risk Assessment • Benefit A Guide to Drupal Module Evaluation

  19. Use Drupal APIs Use Drupal APIs to secure your contrib

    and custom code. https:/ /api.drupal.org/api/drupal Writing secure code for Drupal

  20. | 20 Monitor Drupal Security Advisories • Drupal core •

    Drupal contrib projects • Public service announcements • Notifications via email and RSS • Follow @drupalsecurity on Twitter • Drupal Slack #security-questions • Read SA documentation https:/ /www.drupal.org/security

  21. | 21 Automated Testing Continuous Integration Examples • drush pm:security

    • Security Review • OWASP Zap Baseline Scan Mediacurrent Bitbucket Pipelines

  22. Demos • Drupal project page • Security Advisories • Attack

    surface reduction • Broken Access Control • Cross-Site Scripting XSS • Insufficient logging & monitoring • Password policies • Security misconfiguration • Using components with known vulnerabilities

  23. | 23 What’s inside: • Three foundations for maintaining and

    securing your website and tech stack • Checklist to define a security policy for your team • How to monitor for Drupal and WordPress security releases • Security incident response report (free template) https:/ /www.mediacurrent.com/ebooks/cmos-guide-open-sour ce-security Secure your open source-based martech stack with this resource for best practices. CMO’s Guide to Open Source Security

  24. Thank you! Reach out with any questions! mediacurrent.com/contact-us mediacurrent.com/security Q&A

  25. First-time contributor workshop • Mentored contribution • General contribution #DrupalContributions

    Contribution Day Saturday, February 20, 2021 12:00pm - 3:30pm https://www.fldrupal.camp/conference/contribution-day

  26. Planned Workshops • First-time contributor workshop • Introduction to Merge

    Requests • Mentored Tooling Contribution Day Saturday, February 20, 2021 12:00pm - 3:30pm https://www.fldrupal.camp/conference/contribution-day Planned Initiatives • Olivero Theme • SimplyTest • Drupal Recipes

  27. @Mediacurrent Mediacurrent @Mediacurrent MediacurrentDrupal Mediacurrent.com @Mediacurrent Thank You!