P. 1
Drupal Security Updates

Drupal Security Updates

|Views: 10|Likes:
Published by uk_drupal

More info:

Published by: uk_drupal on Dec 18, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/17/2013

pdf

text

original

Drupal Security Updates

Jakub Suchý, jakub@dynamiteheads.com Andrew Burcin, andrew@dynamiteheads.com Dynamite Heads 26th November 2009

Situation

In past – hacking for prestige Now – security is business Security is an every day task

Example: hundreds of SSH Bruteforce attacks a day

Drupal Security Updates Jakub Suchý, 26.11.2009

2

My site is not interesting, I am not a target!

Drupal Security Updates Jakub Suchý, 26.11.2009

3

Am I a target?

Botnets Competition My own employees! Prestige: david vs. whitehouse.gov (goliath) Some people just enjoy it!

Drupal Security Updates Jakub Suchý, 26.11.2009

4

David vs Goliath

Hacker "botnet" – small company site Hacker "sniper" – the economist, whitehouse

Drupal Security Updates Jakub Suchý, 26.11.2009

5

Typical problems

Cross Site Scripting SQL Injection Cross Site Request Forgery

Drupal Security Updates Jakub Suchý, 26.11.2009

6

Typical impacts

Site defaced, changed

Drupal Security Updates Jakub Suchý, 26.11.2009

7

Typical impacts

Administrator access is compromised Credit card numbers stolen Gained access to the server Lots of other impacts

Drupal Security Updates Jakub Suchý, 26.11.2009

8

Drupal security
Drupal is generally considered one of the most secure CMS
● ●

There are over 5000 contributed modules Every module is basically a separate project

Number of issues doesn't reflect security of the whole project!

Drupal Security Updates Jakub Suchý, 26.11.2009

9

Drupal security team

Official source of security related info Resolving issues Providing assistance to contrib maintainers Education of developers

security@drupal.org
Drupal Security Updates Jakub Suchý, 26.11.2009

10

Found a security issue?

Do not disclose it! Send it to security@drupal.org

Drupal Security Updates Jakub Suchý, 26.11.2009

11

Versions
Security for two latest stable Drupal core versions

Jan 2007

Feb 2008

?Q2/Q3 2010?

?2011-2012?

Drupal 5 Drupal 6 Drupal 7 Drupal 8
Supported (bugfixes, security) Unsupported (no security, bugfixes)
Drupal Security Updates Jakub Suchý, 26.11.2009

12

Disclosure policy

Core stable, contrib stable – fix with SA Core dev, contrib dev – fix but no SA Contrib dev = Module N.x-dev

Drupal Security Updates Jakub Suchý, 26.11.2009

13

Impacts, severity
Highly critical – Privilege escalation, impersonation
● ●

Critical – SQL Injection Moderately critical – XSS Less critical - CSRF Not critical

Drupal Security Updates Jakub Suchý, 26.11.2009

14

I've been hacked!

Block access to the site and servers Evaluate damage Restore from backup/clean core & contrib

Drupal Security Updates Jakub Suchý, 26.11.2009

15

Drupal 5 End-Of-Life!

After Drupal core 7.x is released No security updates for 5.x Upgrade ASAP

Drupal Security Updates Jakub Suchý, 26.11.2009

16

Upgrade essentials

Do not modify core! Use Drush for easy updates Backup Upgrading core: ● CVS ● Drush ● Acquia stack from SVN

Drupal Security Updates Jakub Suchý, 26.11.2009

17

And btw...

Drupal Security Updates Jakub Suchý, 26.11.2009

18

And btw...

Do not modify core!

Drupal Security Updates Jakub Suchý, 26.11.2009

19

Affected modules
Issue is in a module I have installed but does not affect my installation
● ●

Should I upgrade?

Drupal Security Updates Jakub Suchý, 26.11.2009

20

Affected modules

Simple answer: Yes You might enable that buggy feature in future In that case: Just plan the upgrade

Drupal Security Updates Jakub Suchý, 26.11.2009

21

Writing secure code

http://drupal.org/writing-secure-code

Drupal Security Updates Jakub Suchý, 26.11.2009

22

Staying on track

Drupal Update Status module ● Install http://drupal.org/project/update_status for 5.x

Included in 6.x 6.x: http://drupal.org/project/update_advanced Ignore projects, versions

Drupal Security Updates Jakub Suchý, 26.11.2009

23

Staying on track

Admin → Reports → Updates → Settings

Drupal Security Updates Jakub Suchý, 26.11.2009

24

Staying on track

http://drupal.org/security

http://drupal.org/security/contrib ● http://drupal.org/security/psa
● ●

RSS channels: find on http://drupal.org/security Newsletter: http://drupal.org/user Edit your account → My newsletters → subscribe

Drupal Security Updates Jakub Suchý, 26.11.2009

25

Staying on track with security = easier and cost effective development and maintenance!

Drupal Security Updates Jakub Suchý, 26.11.2009

26

Questions? @dynamiteheads http://www.dynamiteheads.com
Jakub Suchý, jakub@dynamiteheads.com Andrew Burcin, andrew@dynamiteheads.com

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->