A bug's life - Drupal Application Security and Vulnerability Management
1. A bug’s life
Drupal Application Security and Vulnerability Management
Tatar Balazs Janos - @tatarbj
2. Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ European
Commission
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source dayTatar Balazs Janos
@tatarbj
WHO AM I?
3. A bug’s life
Security awareness at work
Tatar Balazs Janos
@tatarbj
Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
4. SECURITY AWARENESS
Security measures at our work place
Programs to educate employees
Individual responsibilities for company security policies
Measures to audit these efforts
Tatar Balazs Janos
@tatarbj
Source: http://www.bugs.org/dream/teachers/index.html
6. EASY-TO-IMPLEMENT STEPS
Hints for small businesses
Using different forms of Media to reinforce the Message
Highlight recent attacks in News
Seek the Services of a Professional
Tatar Balazs Janos
@tatarbj
Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
7. Security issues are bugs
with different
severity and business impact.
Tatar Balazs Janos
@tatarbj
8. The bug
Programming malfunction
Authentication / Authorization / Data confidentiality / Data integrity
No blaming game!
Tatar Balazs Janos
@tatarbj
Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
9. The Eggs
Planning and Security by Design
Tatar Balazs Janos
@tatarbj
Source: https://pixabay.com/vectors/search/ant/
10. PLANNING PHRASE
At the start of every IT projects
Budgeting issues
Continuous education
Iterative approach
Tatar Balazs Janos
@tatarbj
Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
12. Is the process surrounding this feature as
safe as possible? In other words, is this a
flawed process?
Tatar Balazs Janos
@tatarbj
13. If I were evil, how would I abuse this feature?
Tatar Balazs Janos
@tatarbj
14. Is the feature required to be on by default?
If so, are there limits or options that could
help reduce the risk from this feature?
Tatar Balazs Janos
@tatarbj
15. SECURITY PRINCIPLES I.
First and second-parties
Minimize attack surface area
Establish secure defaults
Least privilege
Defense in depth
Fail securely
Tatar Balazs Janos
@tatarbj
SECURITY PRINCIPLES I.
First and second-parties
Minimize attack surface area
Establish secure defaults
Least privilege
Defense in depth
Fail securely
Tatar Balazs Janos
@tatarbj
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
16. SECURITY PRINCIPLES II.
Third-parties
Don’t trust services
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly
Tatar Balazs Janos
@tatarbj
Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
17. The Caterpillar
Development iterations until the first release
Tatar Balazs Janos
@tatarbj
Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
18. Stakeholders’ knowledge of
basic principles and how they
may be implemented in
software product is vital to
software security.
Tatar Balazs Janos
@tatarbj
19. THE BASIC SKILLS
The secure mind-set
Protection from disclosure/alteration/destruction
Rights and privileges belonging to the requester
Ability to build historical evidence
Management of configuration, sessions and errors/exceptions
Tatar Balazs Janos
@tatarbj
Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
20. APPLICATION LEVEL SECURITY
Protection of your application
Sanitize inputs at the client side and server side
Verify file upload functionality
Use only current encryption and hashing algorithms
Check the randomness of the session
Make sure third party libraries are secured
Set strong password policy
Tatar Balazs Janos
@tatarbj
Source: https://www.pinterest.com/pin/67554063138904545
21. INFRASTRUCTURE LEVEL SECURITY
Protection of your host
Use HTTPS for domain entries
Do not allow for directory listing
Use TLS not SSL
Hide web server information
Tatar Balazs Janos
@tatarbj
Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
22. WEB SECURITY PRACTICES
Protection of your users
Encode request/response
Do not store sensitive data inside cookies
Set secure and HttpOnly flags in cookies
Do not store sensitive information in a form’s hidden fields
Set secure response headers
Tatar Balazs Janos
@tatarbj
Source: https://www.pexels.com/photo/bee-hiding-1244184/
23. The Chrysalis
First releases of the application
Tatar Balazs Janos
@tatarbj
Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
24. VULNERABILITY ASSESSMENT
Forest of the false positive issues
Environmental conditions
Scanning of the application / infrastructure
Iterative approach to improve findings
Asset management
Tatar Balazs Janos
@tatarbj
Source: https://99px.ru/avatari_vkontakte/10916/
25. SECURITY ASSESSMENT
VA + manual verification
Looking to gain a broad coverage of the systems under test
No exploitation of vulnerabilities
Verification by authorized access
Examining logs, system responses,
error messages, code, etc…
Tatar Balazs Janos
@tatarbj
Source: https://masterok.livejournal.com/4202997.html
27. SECURITY AUDIT
VA + SA + Pentest
Driven by a risk function to look at specific compliance issues
Combination of different approaches
Characterized by a narrow scope
Tatar Balazs Janos
@tatarbj
Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
28. SECURITY REVIEW
And something else then before
Verification that industry or internal
security standards have been applied
Gap analysis, review of design documents
and architecture diagrams
Activity that does not utilize any of
VA, SA, Pentest or Security audit approaches
Tatar Balazs Janos
@tatarbj
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
29. The Butterfly
Maintenance releases and activities
Tatar Balazs Janos
@tatarbj
Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
35. TRUSTED SOURCES
Monitor regularly
Vendors, third party providers
National Vulnerability Database (NVD)
Common Vulnerabilities and Exposures (CVE)
... and the Drupal Security Team!
Tatar Balazs Janos
@tatarbj
Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
37. WHO AND HOW?
Difficulties and authentication
Access complexity
None (AC:N)
Basic (AC:B)
Complex (AC:C)
Authentication
None (A:N)
User (A:U)
Admin (A:A)
Tatar Balazs Janos
@tatarbj
Source: https://mymodernmet.com/adam-gor-butterfly-photography/
38. THE PILLARS OF INFORMATION SECURITY
The measurable elements
Confidentiality impact
All (CI:A)
Some (CI:S)
None (CI:N)
Integrity impact
All (II:A)
Some (II:S)
None (II:N)
Tatar Balazs Janos
@tatarbj
Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
40. CONDITIONS OF THE SURFACE
How does the application have to behave?
Exploit (zero-day impact)
Exploit (E:E)
Proof (E:P)
Theoretical (E:T)
Target distribution
All (TD:A)
Default (TD:D)
Uncommon (TD:U)
Tatar Balazs Janos
@tatarbj
Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
41. SecOSdays
25-26 October, 2019 – Sofia, Bulgaria
Call For Sessions and Sponsors are
open!
Tatar Balazs Janos
@tatarbj
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.