Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

A bug's life - Drupal Application Security and Vulnerability Management

53 visualizaciones

Publicado el

This session has been given at Drupal DevDays Transylvania in Cluj, Romania, 12 June 2019.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

A bug's life - Drupal Application Security and Vulnerability Management

  1. 1. A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
  2. 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
  3. 3. A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source:
  4. 4. SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source:
  5. 5. ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source:
  6. 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source:
  7. 7. Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
  8. 8. The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source:
  9. 9. The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source:
  10. 10. PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source:
  11. 11. THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
  12. 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
  13. 13. If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
  14. 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
  15. 15. SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source:
  16. 16. SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source:
  17. 17. The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source:
  18. 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
  19. 19. THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source:
  20. 20. APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source:
  21. 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source:
  22. 22. WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source:
  23. 23. The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source:
  24. 24. VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source:
  25. 25. SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source:
  26. 26. Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
  27. 27. SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source:
  28. 28. SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source:
  29. 29. The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source:
  30. 30. The three pillars Information security Tatar Balazs Janos @tatarbj
  31. 31. Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
  32. 32. Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
  33. 33. Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
  34. 34. VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source:
  35. 35. TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source:
  36. 36. Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
  37. 37. WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source:
  38. 38. THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source:
  39. 39. Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
  40. 40. CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source:
  41. 41. SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
  42. 42. Questions? Tatar Balazs Janos @tatarbj
  43. 43. Thank you! Tatar Balazs Janos @tatarbj