You are on page 1of 27

Drupal Security

Updates

Jakub Suchý, jakub@dynamiteheads.com


Andrew Burcin, andrew@dynamiteheads.com
Dynamite Heads
26th November 2009
Situation
● In past – hacking for prestige

● Now – security is business

● Security is an every day task

●Example: hundreds of SSH Bruteforce


attacks a day

Drupal Security Updates


Jakub Suchý, 26.11.2009 2
My site is not interesting,
I am not a target!

Drupal Security Updates


Jakub Suchý, 26.11.2009 3
Am I a target?
● Botnets

● Competition

● My own employees!

● Prestige: david vs. whitehouse.gov (goliath)

● Some people just enjoy it!

Drupal Security Updates


Jakub Suchý, 26.11.2009 4
David vs Goliath
● Hacker "botnet" – small company site

● Hacker "sniper" – the economist, whitehouse

Drupal Security Updates


Jakub Suchý, 26.11.2009 5
Typical problems
● Cross Site Scripting

● SQL Injection

● Cross Site Request Forgery

Drupal Security Updates


Jakub Suchý, 26.11.2009 6
Typical impacts
● Site defaced, changed

Drupal Security Updates


Jakub Suchý, 26.11.2009 7
Typical impacts
● Administrator access is compromised

● Credit card numbers stolen

● Gained access to the server

● Lots of other impacts

Drupal Security Updates


Jakub Suchý, 26.11.2009 8
Drupal security
●Drupal is generally considered one of the
most secure CMS

● There are over 5000 contributed modules

● Every module is basically a separate project

● Number of issues doesn't reflect security of


the whole project!

Drupal Security Updates


Jakub Suchý, 26.11.2009 9
Drupal security team
● Official source of security related info

● Resolving issues

● Providing assistance to contrib maintainers

● Education of developers

security@drupal.org
Drupal Security Updates
Jakub Suchý, 26.11.2009 10
Found a security issue?
●Do not disclose it!

● Send it to security@drupal.org

Drupal Security Updates


Jakub Suchý, 26.11.2009 11
Versions
●Security for two latest stable Drupal core
versions
Jan 2007 Feb 2008 ?Q2/Q3 2010? ?2011-2012?

Drupal 5

Drupal 6

Drupal 7

Drupal 8

Supported (bugfixes, security)

Unsupported (no security, bugfixes)


Drupal Security Updates
Jakub Suchý, 26.11.2009 12
Disclosure policy
● Core stable, contrib stable – fix with SA

● Core dev, contrib dev – fix but no SA

● Contrib dev = Module N.x-dev

Drupal Security Updates


Jakub Suchý, 26.11.2009 13
Impacts, severity
●Highly critical – Privilege escalation,
impersonation

● Critical – SQL Injection

● Moderately critical – XSS

● Less critical - CSRF

● Not critical

Drupal Security Updates


Jakub Suchý, 26.11.2009 14
I've been hacked!
● Block access to the site and servers

● Evaluate damage

● Restore from backup/clean core & contrib

Drupal Security Updates


Jakub Suchý, 26.11.2009 15
Drupal 5 End-Of-Life!
● After Drupal core 7.x is released

● No security updates for 5.x

● Upgrade ASAP

Drupal Security Updates


Jakub Suchý, 26.11.2009 16
Upgrade essentials
● Do not modify core!

● Use Drush for easy updates

● Backup

● Upgrading core:
● CVS

● Drush

● Acquia stack from SVN

Drupal Security Updates


Jakub Suchý, 26.11.2009 17
And btw...

Drupal Security Updates


Jakub Suchý, 26.11.2009 18
And btw...

Do not modify core!

Drupal Security Updates


Jakub Suchý, 26.11.2009 19
Affected modules
●Issue is in a module I have installed but does
not affect my installation

● Should I upgrade?

Drupal Security Updates


Jakub Suchý, 26.11.2009 20
Affected modules
● Simple answer: Yes

● You might enable that buggy feature in future

● In that case: Just plan the upgrade

Drupal Security Updates


Jakub Suchý, 26.11.2009 21
Writing secure code
● http://drupal.org/writing-secure-code

Drupal Security Updates


Jakub Suchý, 26.11.2009 22
Staying on track
● Drupal Update Status module
● Install http://drupal.org/project/update_status

for 5.x

● Included in 6.x

● 6.x:
http://drupal.org/project/update_advanced
Ignore projects, versions

Drupal Security Updates


Jakub Suchý, 26.11.2009 23
Staying on track
● Admin → Reports → Updates → Settings

Drupal Security Updates


Jakub Suchý, 26.11.2009 24
Staying on track
● http://drupal.org/security

● http://drupal.org/security/contrib
● http://drupal.org/security/psa

● RSS channels: find on http://drupal.org/security

● Newsletter: http://drupal.org/user
Edit your account → My newsletters → subscribe

Drupal Security Updates


Jakub Suchý, 26.11.2009 25
Staying on track with security
= easier and cost effective
development and maintenance!

Drupal Security Updates


Jakub Suchý, 26.11.2009 26
Questions?

@dynamiteheads
http://www.dynamiteheads.com
Jakub Suchý, jakub@dynamiteheads.com
Andrew Burcin, andrew@dynamiteheads.com

You might also like