10. Clear System Boundaries
Limits the scope of
the system that you
are validating
Apply controls only to
the elements under
validation
Leverage previously
secured components
and infrastructure
11. A thorough risk analysis
Code analysis for all
custom code
Theming focus
Penetration testing
Vulnerability
assessment
Gap Analysis
12. Developing the right controls
Don’t over engineer
your controls
Leverage your existing
policies & procedures
Focus on the entire
system
Define validation
plans in parallel with
controls
Take advantage of the
Drupal community
14. Firewalls
One layer of defense,
preventative logical
control
Configuration
management
Outgoing as well as
incoming ACLs!
Limit management
access to single IP or
fewest possible, SSH
not Telnet
15. Intrusion Detection
Logical Detective
control
Rules must be up to
date
Configuration is key;
must be able to see
the traffic
Vendor specific
solutions provide a
variety of options for
action
16. Validation of controls
Identify they have
been implemented
Develop testing for
each control deployed
Document pass/fail
status of each control
17. Remediation plan
Plan of Action:
You don’t need to
address every risk
you identify
Some will be
acceptable for
launch
Remediation change
management
Validate remediation
18. Tools and Processes
Integrate reviews early
in your system lifecycle
Use a mix of tools to
validate your controls
Coding standards
Code analysis
Functional tests
Scanners
Fuzzers
Leverage available
information
19. Coding Standards
Start with the Drupal
community standards
Use Drupal APIs to
avoid common risks
Establish your own
standards to further
secure your code
Watch adjacent
communities for best
practices
20. Code Analysis
Ensure strict API
syntactical adherence
Review all custom code
from security
perspective
Hook to validation
testing
Any variance should be
documented
21. Functional Tests
Application process
testing
Usual suspects:
Forms
Fields
Variable handling
App-Server trust
22. Scanners
Signature based
detection of
vulnerabilities
False positives
Documentation of all
valid results
Examples:
Websecurify
Skipfish
Grendel-scan
23. Fuzzers
Bombard your app with
possible data
submissions
Find strings that break
app
Fix your app
24. A collaborative approach to security
Incorporate security
expertise into your
development team
Collaborate on
controls and
remediation
Include security
activities in your
project milestones
Address security
issues with each
development iteration
25. Take advantage of available support
Community security
patches and bulletins
Clear processes for
addressing
vulnerabilities
Commercial vendors
Formal channels to
report and resolve
issues
Guaranteed levels of
response
Addresses many of
the concerns of
security professionals
26. Bringing the process to completion
Verify
Review
Fix those errors!
Finalize
Get sign off by
process owners
Submit
Maintain records
27. Completing the process
Launch
Follow your plan to
remediate issues and
acceptable risks
Maintain your controls
Ensure compliance
Perform reviews
28. What did you think?
Step 1)
Locate this session on the DCSF site
http://sf2010.drupal.org/conference/
schedule
Step 2)
Click the “Take Survey” link