SlideShare una empresa de Scribd logo

A bug's life - Drupal Application Security and Vulnerability Management

Descargar como PPTX, PDF
Balázs Tatár
Balázs Tatár

This session has been given at Drupal DevDays Transylvania in Cluj, Romania, 12 June 2019.

Tecnología
1 de 43
A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
The three pillars Information security Tatar Balazs Janos @tatarbj
Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
Questions? Tatar Balazs Janos @tatarbj
Thank you! Tatar Balazs Janos @tatarbj

Recomendados

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Bug bounty
Bug bountyBug bounty
Bug bountyRamin Farajpour Cami
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 

Recomendados

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Bug bounty
Bug bountyBug bounty
Bug bountyRamin Farajpour Cami
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Bug Bounty
Bug BountyBug Bounty
Bug BountyHariprasad KA
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 
Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 

Más contenido relacionado

La actualidad más candente

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 

La actualidad más candente (20)

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Bug Bounty
Bug BountyBug Bounty
Bug Bounty
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
 

Similar a A bug's life - Drupal Application Security and Vulnerability Management

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET Journal
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...apidays
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 

Similar a A bug's life - Drupal Application Security and Vulnerability Management (20)

Butler
ButlerButler
Butler
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Butler
ButlerButler
Butler
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
Penetration testing by Burpsuite
Penetration testing by BurpsuitePenetration testing by Burpsuite
Penetration testing by Burpsuite
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 

Más de Balázs Tatár

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019Balázs Tatár
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Balázs Tatár
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Balázs Tatár
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Balázs Tatár
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesBalázs Tatár
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Balázs Tatár
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Balázs Tatár
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyBalázs Tatár
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!Balázs Tatár
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!Balázs Tatár
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practiceBalázs Tatár
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITBalázs Tatár
 

Más de Balázs Tatár (20)

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slides
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practice
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGIT
 

Último

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Último (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

A bug's life - Drupal Application Security and Vulnerability Management

  • 1. A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
  • 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
  • 3. A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
  • 4. SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
  • 5. ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
  • 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
  • 7. Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
  • 8. The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
  • 9. The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
  • 10. PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
  • 11. THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
  • 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
  • 13. If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
  • 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
  • 15. SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 16. SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
  • 17. The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
  • 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
  • 19. THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
  • 20. APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
  • 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
  • 22. WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
  • 23. The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
  • 24. VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
  • 25. SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
  • 26. Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
  • 27. SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
  • 28. SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 29. The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
  • 30. The three pillars Information security Tatar Balazs Janos @tatarbj
  • 31. Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
  • 32. Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
  • 33. Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
  • 34. VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
  • 35. TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
  • 36. Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
  • 37. WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
  • 38. THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
  • 39. Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
  • 40. CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
  • 41. SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
  • 43. Thank you! Tatar Balazs Janos @tatarbj

Notas del editor

  1. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  2. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  3. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.