If you can't read please download the document

Drupal Security

Embed Size (px)

DESCRIPTION

My second presentation at DrupalCamp Sofia 2011 about securing Drupal sites.

Citation preview

  • 1. Drupal Security DrupalCamp Bulgaria 2011

2. ! , . . 3.

  • Drupal APIs secure

4. , , . 5. APIs , , 6. !

  • Overview: http://drupalsecurityreport.org

7. http://drupal.org/writing-secure-code 8. http://drupal.org/security/secure-configuration 9. Cracking Drupal http://crackingdrupal.com/ 10. http://heine.familiedeelstra.com/ 11. http://drupal.org/project/security_review 12. http://drupal.org/project/coder 13. 14. 15. !

  • , update (Update Status 5)

16. drupal.org Security Advisory emails. 17. (VCS drush) 18. 19. insecure tools

  • : FTP, Telnet, HTTP

20. Total Commander, FileZilla? 21. : SSH, sFTP, FTPS, HTTPS 22. - security fix- PHP, Apache, mySQL, etc? 23. !

  • ?

24. ? 25. ? 26. , 27.

28. 29. Database (SQL) 30. 31. Shell

  • http://acko.net/blog/safe-string-theory-for-the-web

32. 33. 34. Demo If you can do it, XSS can do it better! 35. 36. Cross Site Request Forgery

37. img . 38. JS . 39. $_GET, $_POST 40. Form tokens URL tokens . 41.

  • http://drupal.org/security/contrib

42. http://drupal.org/securityteam/risklevels 43.

  • (Arbitrary code execution)

44. , PHP include- PHP 45. , : PHP input format 46. http://xkcd.com/327/ 47. SQL Injection

  • SQL query-,

48. 49. , - , hashed passwords, etc. 50. Access Bypass

  • authentication bypass

51. , , , 52. Authentication bypass 53. 54. ? http://mmartinov.com


Drupal, lessons learnt from real world security incidents

Drupal, lessons learnt from real world security incidents

Internet
TYPO3 & Security @ Drupal Meetup

TYPO3 & Security @ Drupal Meetup

Technology
Drupal Security from Drupalcamp Cologne 2009

Drupal Security from Drupalcamp Cologne 2009

Technology
Automated Tool Provides Instant Insight into Drupal Performance, Security

Automated Tool Provides Instant Insight into Drupal Performance, Security

Technology
Drupal Security DevSecOps - Drupal Camp Asheville 2018 · $> whoami I Am Will Chatham Security Analyst for ERT at NOAA’s NCEI Ethical Hacker Type Twitter - @willc Drupal - geekamongus

Drupal Security DevSecOps - Drupal Camp Asheville 2018 · $> whoami I Am Will Chatham Security Analyst for ERT at NOAA’s NCEI Ethical Hacker Type Twitter - @willc Drupal - geekamongus

Documents
Drupal Security Basics for the DrupalJax January Meetup

Drupal Security Basics for the DrupalJax January Meetup

Technology
Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best

Drupal Security DevSecOps · 2017-07-15 · Drupal Security Configuration Use the Least Privilege Concept Provide the minimum amount of access necessary to do the job. General Best

Documents
Drupal and security - Advice for Site Builders and Coders

Drupal and security - Advice for Site Builders and Coders

Internet
Training: Best Practices for Drupal Security

Training: Best Practices for Drupal Security

Technology
Adventures in Drupal Security - juniortidal.comin drupal security junior tidal web services & multimedia librarian . new york city college of technology @juniortidal . 1. organizational

Adventures in Drupal Security - juniortidal.comin drupal security junior tidal web services & multimedia librarian . new york city college of technology @juniortidal . 1. organizational

Documents
Drupal security lecture

Drupal security lecture

Technology
G-Cloud SERVICE DEFINITION GUIDE€¦ · Drupal content management system optimisation, upgrades, maintenance, hosting, Drupal security patching, development, training and 24/7/365

G-Cloud SERVICE DEFINITION GUIDE€¦ · Drupal content management system optimisation, upgrades, maintenance, hosting, Drupal security patching, development, training and 24/7/365

Documents
Drupal security

Drupal security

Documents
Drupal security - Subhranshu Sekhar

Drupal security - Subhranshu Sekhar

Technology
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal

Technology
Drupal Security for Coders and Themers - XSS and CSRF

Drupal Security for Coders and Themers - XSS and CSRF

Documents
A Brief Analysis of Drupal Security

A Brief Analysis of Drupal Security

Documents
Drupal Website Development, Drupal website Design, Drupal, Drupal developer

Drupal Website Development, Drupal website Design, Drupal, Drupal developer

Design
Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance

Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance

Documents
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability

Technology
Drupal Security Awareness (2). Disclaimer De informatie in deze cursus is bedoeld om veiligere Drupal websites te bouwen, niet om andere Drupal websites

Drupal Security Awareness (2). Disclaimer De informatie in deze cursus is bedoeld om veiligere Drupal websites te bouwen, niet om andere Drupal websites

Documents
Drupal Security: How to survive Drupalgeddon and prepare for future (European Drupal Days 2015)

Drupal Security: How to survive Drupalgeddon and prepare for future (European Drupal Days 2015)

Internet
Drupal and Security: What You Need to Know

Drupal and Security: What You Need to Know

Technology
Drupal Security from Drupalcamp Bratislava

Drupal Security from Drupalcamp Bratislava

Technology
WordPress Security @ Vienna WordPress + Drupal Meetup

WordPress Security @ Vienna WordPress + Drupal Meetup

Software
Drupal Security Hardening

Drupal Security Hardening

Technology
Protect Your Drupal Site Against Common Security Attacks

Protect Your Drupal Site Against Common Security Attacks

Technology
Drupal Security Awareness (2)

Drupal Security Awareness (2)

Documents
Drupal Security Seminar

Drupal Security Seminar

Technology
SCALABLE DRUPAL SITESfiles.meetup.com/10724102/DrupalACT-160830.pdf · CHOOSING HORSES FOR COURSES Drupal Core • Changes Infrequently • Usually Security Updates • Almost Static

SCALABLE DRUPAL SITESfiles.meetup.com/10724102/DrupalACT-160830.pdf · CHOOSING HORSES FOR COURSES Drupal Core • Changes Infrequently • Usually Security Updates • Almost Static

Documents