Drupal and SecurityWhat you need to know

Stephane Corlosquet29th September 2015

Stéphane"scor"Corlosquet

9+ years with Drupal

Drupal Security Team member

RDF in core + contrib

Definitive Guide to Drupal 7

We're hiring

Lotsofthingstocover

Server environment

Server config

Personal practices

Drupal Configuration

Code

A disaster foretold — and ignored

Generaltips

Use HTTPS, SSH, SFTP

Strong password policy

Server – LAMP stack

Require SSH keys

Take & verify your backups

for sharingSanitize backups

Securesiteconfiguration

Keep your site settings secure

Text formats

PHP module

PHP in other modules

Roles and permissions

Securesiteconfiguration

File permissions: web server user forbidden to change

code

PHP execution: restrict in .htaccess or Nginx config

Drupal handbook for securing your site

Drupalspecifichosting

Can your hosting provider help you improve your

security process?

&

Tuned for Drupal security (and performance)

Code, DB, uploaded files, config

Managed security updates

Acquia Cloud Insight

Acquia Remote administration

Modulesenhancingsecurity

/

Secure Login

Paranoia

Security Review

Permissions Lock

Hacked!

Password policy Password strength

Two Factor Authentication

PCI,HIPAA,SOC1,SOC2,SCADA

Be aware of the regulations in your environment

Anyone work in HIPAA environment?

FedRAMP/FISMA Certification & Accreditation (C&A)?

Anyone work with Drupal in SCADA environment?

Drupal PCI Compliance Report

Securityprocess

Ongoing maintenance

Budget for security

Managed hosting

Drupal.org packaging infrastructure

Securityprocess

Keep Drupal code secure in core and contrib

Educate the community on security best practices

Developers

Site builders

Site administrators and users

Decision makers

for every security release

Drupal Security Team

Security Advisory

Securityprocess

https://www.acquia.com/blog/keeping-drupal-secure

Securityprocess

Securityprocess

Securityprocess

Whatarethemostcommon

issues?

Whatarethemostcommon

issues?

WhatisXSS?

Cross Site Scripting

Code in the browser

Making requests

Parsing responses

Javascript, Flash, Java, etc.

TestingforXSS

<script>alert('title');</script>

<img src="a" onerror="alert('title');">

Catches 90%

FixingXSS?

Filter text

On output to browser

As late as reasonable

Some API filters where reasonable

t() and @text and %text placeholders

PrecautionsagainstXSS

WhatisAccessBypass?

User can see or do something

That permissions/access should prevent

Wheredoweenforceit?

Menu 'access callback'

if(user_access('see something'));Node access system

Entity access

Field access

Services & Ajax apis?

In templates

TestingforAccessBypass

Visit node/nid etc.

Visit anything/%node

Use behat

FixingAccessBypass?

user_access for permissions

node_accessentity_access$query->addTag('node_access');menu definitions

write automated tests

WhatisCSRF?

path that does not confirm intent

<img src=" " >http://example.com/node/1/quickdelete

TestingforCSRF

$_GET, $_POST, no use of drupal_get_token()

"verb" menu callbacks without token

FixingCSRF?

Use Form API: confirmation forms

Send and validate tokens

Protect Against CSRF webinar with greggles

Drupalgeddon-coreSQL

injection2014

SQL injection lead to arbitrary code execution

Plan your security updates!

Exploited soon after the release

Mitigated on Acquia Cloud

Handbook for how to recover from a breach

Drupal7

Securityimprovements

Drupal7

Stronger password hashing / salt

Login flood control

prevents brute-force credential guessing

Protected cron

prevents Denial of Service attacks

Update manager

Update module from the web UI

Drupal7UpdateManager

Drupal7UpdateManager

Notifications

Drupal8

Securityimprovements

Drupal8:Twig

Automatically sanitizes strings on output

# Drupal 7 if (isset($variables['link_path'])) { $output = l($variables['name'] . $variables['extra'], $variables['link_path'], $variables } else { $output = '<span' . drupal_attributes($variables['attributes_array']) . '>' . $variables } return $output;

# Drupal 8 {% if link_path -%} <a{{ attributes }}>{{ name }}{{ extra }}</a> {%- else -%} <span{{ attributes }}>{{ name }}{{ extra }}</span> {%- endif -%}

Drupal8:Twig

No PHP in templates

{% if link_path -%} <a{{ attributes }}>{{ name }}{{ extra }}</a>{%- else -%} <span{{ attributes }}>{{ name }}{{ extra }}</span>{%- endif -%}

Drupal8:WYSIWYGincore

Streamlined filter mechanism (server and client side)

No more full HTML as last resort

Drupal8:PHP

Removed PHP module

Drupal8:Built-inCSRFtokens

CSRF tokens built in the routing system

# views_ui.routing.ymlviews_ui.enable: path: '/admin/structure/views/view/{view}/enable' defaults: _controller: '\Drupal\views_ui\Controller\ViewsUIController::ajaxOperation' op: enable requirements: _entity_access: view.enable _csrf_token: 'TRUE'

Drupal8:lotsmorehardening

PDO MySQL limited to executing single statements

PHP execution in subfolders forbidden in .htaccess

Clickjacking protection per default with X-Frame-

Options

Hashed user session IDs in the DB

Trusted hosts pattern to restrict URL domains

Blog post: 10 Ways Drupal 8 Will Be More Secure

BookonSecurityinDrupal

References

Drupal Security Advisories

Drupal Security Team

Drupal Security report

Drupal Security Best Practices guide

DGD7 chapter 6

https://groups.drupal.org/security

Security on docs.acquia.com

Thanks!

Got questions?

Contact

@scorlosquet

scor@acquia.com