SlideShare una empresa de Scribd logo

Protect Your Drupal Site Against Common Security Attacks

Acquia
Acquia

Acquia Webinar [Oct 25, 2011]: Protect Your Drupal Site Against Common Security Attacks Recording: http://acquia.com/resources/recorded_webinars

Tecnología
1 de 44
Descargar para leer sin conexión
Protect Your Drupal Site Against Common Security Attacks @greggles greg.knaddison@acquia.com Tuesday, October 25, 2011
Agenda • Security theory - general ideas - what it means to be a “Vendor” - what are other vendors doing? • Security Review module • Acquia Security Audits Tuesday, October 25, 2011
Some General Theories • Vuln is not a problem until someone exploits it • Least privilege • Validate on input, filter on output • Out of band communication - Multi factor authentication • Logging • Defense in depth Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Is Drupal secure enough? • DrupalSecurityReport.org • What is Drupalʼs vendor process? Tuesday, October 25, 2011
What is the flow? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
What is public/private?* *ideal case • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes Private • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Public Tuesday, October 25, 2011
Where are you at risk? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
Disclosure concepts • Full disclosure: - immediately disclose to world - Allow people to fix/protect themselves • Responsible disclosure: - Disclose to vendor privately - Wait up to 6 months for vendor fix/announcement - Patch available with news Tuesday, October 25, 2011
Where are you at risk? FD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
Where are you at risk? RD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
Who is responsible? dev • Vulnerability introduced in code researcher • Issue gets reported team • Maintainer is notified & fixes team+dev • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
Best practices as a vendor What is everyone else doing? Tuesday, October 25, 2011
Tuesday, October 25, 2011
Comparing • Given enough eyeballs, all bugs are shallow. • Prevention of issues: education • Smooth reporting • Announce, deploy updates Tuesday, October 25, 2011
Try this • search for - “write secure code $project_name” - “report security issue $project_name” - “security release $project_name” Tuesday, October 25, 2011
Tuesday, October 25, 2011
This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. Mozilla Security Blog 2010 revenue: $104,000,000+ expenses $60,000,000+ Tuesday, October 25, 2011
Chrome, Firefox bounties • Mozilla: $0 to $3,000http://www.mozilla.org/security/bug-bounty.html • Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html • Tipping Point Zero Day Initiative: $100 to $2,000+ • Drupal: $0 Tuesday, October 25, 2011
Browser Updates • Blogs, tweets, mails and in app notifications • Automatic updates enabled by default • Download compressed binary diffs • Pretty reliable (remember, $104,000,000/year budget) Tuesday, October 25, 2011
WordPress • Usability focused • Blogging focused • Increasingly feature rich Tuesday, October 25, 2011
Education/reporting • http://codex.wordpress.org/ Category:WordPress_Development - zero security • E-mail based reporting system • Plugins - hosted anywhere - Plugins on WP.org not as rigorously reviewed - Plugins elsewhere not reviewed - Some in svn/Trac plugins.trac.wordpress.org/browser/ Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application notification tools • News for core: wordpress.org/news/category/security • No official, security-focused twitter (?) • Popularity + Limited official channel = NOISE Tuesday, October 25, 2011
Github: Suzieʼs System! • Github has no built-in facility • Project maintainers have to build it Infrastructure has value Tuesday, October 25, 2011
Drupal • Focused on... • Can do whatever • Modules usually hosted on drupal.org • Project application process is rigorous, but flawed • Centralized code hosting git/gitweb drupalcode.org Tuesday, October 25, 2011
Education/Reporting • Handbooks put security as a priority • New contributor process includes security review - Doesnʼt cover all projects - There are ways around it • E-mail based reporting process - no registration required - moving to optional ticket submission for improved efficiency Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Tuesday, October 25, 2011
Out of application tools • Main handbook has solid security docs • News & feeds for core and contrib • Announcement e-mail list • @drupalsecurity, @drupal_security • Limited 3rd party noise Tuesday, October 25, 2011
Security Review module • Freely available module • Identifies mistakes in permissions & configuration • Has drush integration • Hands on demo http://drupal.org/project/security_review Tuesday, October 25, 2011
How Acquia Can Help • Acquia Security Audit • Acquia Insight Tuesday, October 25, 2011
How Acquia Can Help • 1 week long engagement • Most vulnerabilities are found in site specific - themes - configurations - modules • Drupal core and contrib may be safe, is your code? Tuesday, October 25, 2011
What do we do? • Automated static code analysis • Penetration testing • Public and Acquia-developed tools Tuesday, October 25, 2011
What is the output? Tuesday, October 25, 2011
Thanks! Questions? Contact: greg.knaddison@acquia.com @greggles Tuesday, October 25, 2011
Photos photos • http://www.flickr.com/photos/jdhancock/3760104591/ • http://www.flickr.com/photos/danielsphotography/466435567/ • http://www.flickr.com/photos/38485387@N02/3580728177/ • http://www.flickr.com/photos/tchi-tcha/2447184214 Tuesday, October 25, 2011

Recomendados

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?Christopher Grayson
 
Root the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF AdministrationRoot the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
 
Green Screen ci at Travis Perkins
Green Screen ci at Travis PerkinsGreen Screen ci at Travis Perkins
Green Screen ci at Travis PerkinsBrian Leach
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryChristopher Grayson
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 

Recomendados

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?Christopher Grayson
 
Root the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF AdministrationRoot the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
 
Green Screen ci at Travis Perkins
Green Screen ci at Travis PerkinsGreen Screen ci at Travis Perkins
Green Screen ci at Travis PerkinsBrian Leach
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryChristopher Grayson
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...Alexis Monville
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security John Willis
 
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel ZikmundNDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel ZikmundKarel Zikmund
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of UsPojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of UsOSGiUsers
 
Kaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And UpdateKaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And UpdateKaseya
 
Mix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes DistribuéesMix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes DistribuéesAlexis Monville
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Ask the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign ProcessAsk the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign ProcessSanky Inc.
 
ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"Cheryl McKinnon
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing VulnerabilitiesAlerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilitiestmacuk
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfssuserc5b30e
 
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa PalmerOpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmervmiss33
 
Republica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wildRepublica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wildAcquia
 
(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted Support(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted SupportSimon Morley
 
Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia
 

Más contenido relacionado

Similar a Protect Your Drupal Site Against Common Security Attacks

ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...Alexis Monville
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security John Willis
 
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel ZikmundNDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel ZikmundKarel Zikmund
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of UsPojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of UsOSGiUsers
 
Kaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And UpdateKaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And UpdateKaseya
 
Mix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes DistribuéesMix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes DistribuéesAlexis Monville
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Ask the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign ProcessAsk the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign ProcessSanky Inc.
 
ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"Cheryl McKinnon
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing VulnerabilitiesAlerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilitiestmacuk
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfssuserc5b30e
 
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa PalmerOpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmervmiss33
 
Republica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wildRepublica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wildAcquia
 
(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted Support(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted SupportSimon Morley
 

Similar a Protect Your Drupal Site Against Common Security Attacks (20)

ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
ScrumDay 2014 - Développer des produits avec des équipes distribuées - Alexis...
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative world
 
Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security Evolve 2017 - Vegas - Devops, Docker and Security
Evolve 2017 - Vegas - Devops, Docker and Security
 
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel ZikmundNDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
NDC London 2020 - Challenges of Managing CoreFx Repo -- Karel Zikmund
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of UsPojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
 
Kaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And UpdateKaseya Connect 2012 - Deploying Apps With Software Deployment And Update
Kaseya Connect 2012 - Deploying Apps With Software Deployment And Update
 
Mix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes DistribuéesMix-IT - Des Produits avec des Equipes Distribuées
Mix-IT - Des Produits avec des Equipes Distribuées
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
Ask the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign ProcessAsk the Experts: Demystifying the Fundraising Website Redesign Process
Ask the Experts: Demystifying the Fundraising Website Redesign Process
 
ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"ARMA IM Days "Open source and open standards"
ARMA IM Days "Open source and open standards"
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing VulnerabilitiesAlerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
Alerting, Reminding, Reminding, Reminding And Releasing Vulnerabilities
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdf
 
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa PalmerOpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
OpenStack in the Enterprise - NJ VMUG June 9, 2015 - Melissa Palmer
 
Republica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wildRepublica 2014 open-source_in_the_wild
Republica 2014 open-source_in_the_wild
 
(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted Support(Exploratory) Testing with Scripted Support
(Exploratory) Testing with Scripted Support
 

Más de Acquia

Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelAcquia
 
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfCDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfAcquia
 
May Partner Bootcamp 2022
May Partner Bootcamp 2022May Partner Bootcamp 2022
May Partner Bootcamp 2022Acquia
 
April Partner Bootcamp 2022
April Partner Bootcamp 2022April Partner Bootcamp 2022
April Partner Bootcamp 2022Acquia
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story Acquia
 
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXUsing Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXAcquia
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowAcquia
 
September Partner Bootcamp
September Partner BootcampSeptember Partner Bootcamp
September Partner BootcampAcquia
 
August partner bootcamp
August partner bootcampAugust partner bootcamp
August partner bootcampAcquia
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner BootcampAcquia
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner BootcampAcquia
 
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYDRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYAcquia
 
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineWork While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineAcquia
 
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureAcquia
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsAcquia
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...Acquia
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Acquia
 

Más de Acquia (20)

Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdf
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdf
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next Level
 
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfCDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
 
May Partner Bootcamp 2022
May Partner Bootcamp 2022May Partner Bootcamp 2022
May Partner Bootcamp 2022
 
April Partner Bootcamp 2022
April Partner Bootcamp 2022April Partner Bootcamp 2022
April Partner Bootcamp 2022
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story
 
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXUsing Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
 
September Partner Bootcamp
September Partner BootcampSeptember Partner Bootcamp
September Partner Bootcamp
 
August partner bootcamp
August partner bootcampAugust partner bootcamp
August partner bootcamp
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner Bootcamp
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner Bootcamp
 
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYDRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
 
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineWork While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
 
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless future
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutions
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Protect Your Drupal Site Against Common Security Attacks

  • 1. Protect Your Drupal Site Against Common Security Attacks @greggles greg.knaddison@acquia.com Tuesday, October 25, 2011
  • 2. Agenda • Security theory - general ideas - what it means to be a “Vendor” - what are other vendors doing? • Security Review module • Acquia Security Audits Tuesday, October 25, 2011
  • 3. Some General Theories • Vuln is not a problem until someone exploits it • Least privilege • Validate on input, filter on output • Out of band communication - Multi factor authentication • Logging • Defense in depth Tuesday, October 25, 2011
  • 8. Is Drupal secure enough? • DrupalSecurityReport.org • What is Drupalʼs vendor process? Tuesday, October 25, 2011
  • 9. What is the flow? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
  • 10. What is public/private?* *ideal case • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes Private • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Public Tuesday, October 25, 2011
  • 11. Where are you at risk? • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
  • 12. Disclosure concepts • Full disclosure: - immediately disclose to world - Allow people to fix/protect themselves • Responsible disclosure: - Disclose to vendor privately - Wait up to 6 months for vendor fix/announcement - Patch available with news Tuesday, October 25, 2011
  • 13. Where are you at risk? FD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
  • 14. Where are you at risk? RD • Vulnerability introduced in code • Issue gets reported • Maintainer is notified & fixes • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
  • 15. Who is responsible? dev • Vulnerability introduced in code researcher • Issue gets reported team • Maintainer is notified & fixes team+dev • Review/discussion • Security Advisory written, commit, release • Release and announce • Deployed on all sites Tuesday, October 25, 2011
  • 16. Best practices as a vendor What is everyone else doing? Tuesday, October 25, 2011
  • 18. Comparing • Given enough eyeballs, all bugs are shallow. • Prevention of issues: education • Smooth reporting • Announce, deploy updates Tuesday, October 25, 2011
  • 19. Try this • search for - “write secure code $project_name” - “report security issue $project_name” - “security release $project_name” Tuesday, October 25, 2011
  • 21. This is not our policy....We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. Mozilla Security Blog 2010 revenue: $104,000,000+ expenses $60,000,000+ Tuesday, October 25, 2011
  • 22. Chrome, Firefox bounties • Mozilla: $0 to $3,000http://www.mozilla.org/security/bug-bounty.html • Chrome: $500 to $3,133.7 blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html • Tipping Point Zero Day Initiative: $100 to $2,000+ • Drupal: $0 Tuesday, October 25, 2011
  • 23. Browser Updates • Blogs, tweets, mails and in app notifications • Automatic updates enabled by default • Download compressed binary diffs • Pretty reliable (remember, $104,000,000/year budget) Tuesday, October 25, 2011
  • 24. WordPress • Usability focused • Blogging focused • Increasingly feature rich Tuesday, October 25, 2011
  • 25. Education/reporting • http://codex.wordpress.org/ Category:WordPress_Development - zero security • E-mail based reporting system • Plugins - hosted anywhere - Plugins on WP.org not as rigorously reviewed - Plugins elsewhere not reviewed - Some in svn/Trac plugins.trac.wordpress.org/browser/ Tuesday, October 25, 2011
  • 29. Out of application notification tools • News for core: wordpress.org/news/category/security • No official, security-focused twitter (?) • Popularity + Limited official channel = NOISE Tuesday, October 25, 2011
  • 30. Github: Suzieʼs System! • Github has no built-in facility • Project maintainers have to build it Infrastructure has value Tuesday, October 25, 2011
  • 31. Drupal • Focused on... • Can do whatever • Modules usually hosted on drupal.org • Project application process is rigorous, but flawed • Centralized code hosting git/gitweb drupalcode.org Tuesday, October 25, 2011
  • 32. Education/Reporting • Handbooks put security as a priority • New contributor process includes security review - Doesnʼt cover all projects - There are ways around it • E-mail based reporting process - no registration required - moving to optional ticket submission for improved efficiency Tuesday, October 25, 2011
  • 37. Out of application tools • Main handbook has solid security docs • News & feeds for core and contrib • Announcement e-mail list • @drupalsecurity, @drupal_security • Limited 3rd party noise Tuesday, October 25, 2011
  • 38. Security Review module • Freely available module • Identifies mistakes in permissions & configuration • Has drush integration • Hands on demo http://drupal.org/project/security_review Tuesday, October 25, 2011
  • 39. How Acquia Can Help • Acquia Security Audit • Acquia Insight Tuesday, October 25, 2011
  • 40. How Acquia Can Help • 1 week long engagement • Most vulnerabilities are found in site specific - themes - configurations - modules • Drupal core and contrib may be safe, is your code? Tuesday, October 25, 2011
  • 41. What do we do? • Automated static code analysis • Penetration testing • Public and Acquia-developed tools Tuesday, October 25, 2011
  • 42. What is the output? Tuesday, October 25, 2011
  • 43. Thanks! Questions? Contact: greg.knaddison@acquia.com @greggles Tuesday, October 25, 2011
  • 44. Photos photos • http://www.flickr.com/photos/jdhancock/3760104591/ • http://www.flickr.com/photos/danielsphotography/466435567/ • http://www.flickr.com/photos/38485387@N02/3580728177/ • http://www.flickr.com/photos/tchi-tcha/2447184214 Tuesday, October 25, 2011