SlideShare uma empresa Scribd logo

Security by design: An Introduction to Drupal Security

Mediacurrent
Mediacurrent

Security experts from Mediacurrent, Townsend Security and Lockr uncover how you can protect your site from the growing cybercrime business by starting off on the right foot. This interactive webinar will get you the foundation you need to protect your site and your organization when using Drupal.

Tecnologia
1 de 28
Baixar para ler offline
An Introduction to Drupal Security Security by Design:
Intros Chris Teitzel @technerdteitzel /in/christeitzel Chris has been working in Drupal for almost 8 years. During that time he has worked on projects spanning the globe in front-end design, e-commerce and security. His passion is for making technology accessible to all skillsets. Founder / CEO Lockr 2
Intros Luke Probasco Presenter Photo @geetarluke /in/lukeprobasco/ Manages Drupal business for Townsend Security. DrupalCon, Camp, and Summit speaker. Security professional. Music enthusiast. Drupal GM/Townsend Security 3
Intros Mark Shropshire (shrop) @shrop /in/markshropshire drupal.org Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. He is also the maintainer of the Guardr Drupal security module suite. Mediacurrent Open Source Security Lead 4
Style Guide Contents Security by design in Drupal Encrypting sensitive data Key management (encryption & API)4 3 2 1 5 Site audit and security best practices Resources to improve security5 Style Guide6 Takeaways
Security by design in Drupal1
7 Security by Design
8 Compliance, Security, and You ● Data discovery ● PCI DSS, HIPAA, GDPR, etc. ● Hosting and compliance ● See your security team for internal policies and controls Security by Design
9 Keep Drupal Secure ● Keep Core and contrib modules up to date ● Use Drupal API ● Use version control ● Use social and enterprise login ● Use secure passwords ● Two factor authentication ● Log and review logs (watchdog and additional contrib) ● Don’t forget about infrastructure security Security by Design
10 Security in Custom Modules ● Never trust user input ○ Filter plain text with check_plain() or t() ○ Filter HTML with filter_xss() ● Query properly ○ Do not concatenate values into db_query() ○ Instead use parameterized values %s %d %f %b ● Do not output db values directly (don’t trust user input) ● Protect user input - think before you save Security by Design
Site audit and security best practices2
12 What is an audit? ● Review by someone not on the team ○ (internal or external) ● Review of software systems ● Review of supporting infrastructure ● Review of other related systems Site audit and security best practices
13 Performing an audit ● Collect data manually and with tools ○ Analyze the data ○ Prioritize findings ● Eliminate false positives ● Complete usable report(s) Site audit and security best practices
14 OWASP Top 10 Most Critical Web Application Security Risks ● Injection ● Weak authentication and session management ● XSS ● Insecure Direct Object References ● Security Misconfiguration ● Sensitive Data Exposure ● Missing Function Level Access Control ● Cross Site Request Forgery ● Using Components with Known Vulnerabilities ● Unvalidated Redirects and Forwards Site audit and security best practices
15 Drupal audit tools ● Drupal Core reports ● Site Audit ● Security Review ● Sensitive Data ● Hacked! ● Coder ● Review of site config, users, permissions, and roles ● Manual code review Site audit and security best practices
Encrypting sensitive data3
17 Encrypting Data in Drupal ● There is no native way to encrypt data in Drupal ● Compliance and risk management drive encryption ● Use encryption based on industry standards ● Use cryptographically strong keys - no passwords! ● See NIST Special Publication 800-57 for more info Encrypting Sensitive Data
18 What Encryption Should I Use? ● Use AES, RSA, Triple DES, or other standard methods ● Beware of non-standard encryption ● Example: Homomorphic Encryption ○ Has not received wide review and acceptance ○ Cannot be certified by a standards body ○ Cannot achieve FIPS 140-2 validation ○ Compliance regulations prohibit its use Encrypting Sensitive Data
Key management (encryption & API)4
20 McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. BankInfoSecurity.com Key Management
21 Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US... Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin.com Key Management
22 Payment Gateways Email Marketing SMTP Relays Authentication Shipping Cloud Providers Encryption APIs Key Management
Resources to improve security5
24 Encryption Modules ● Encrypt ● FieldEncrypt ● Real AES ● Encrypt User ● Encrypted Files ● Webform Encrypt Resources to Improve Security
25 Key Management Modules ● Key ● Townsend Security Key Connection ● Lockr Resources to Improve Security
26 Guardr Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. https://drupal.org/project/guardr Resources to Improve Security
Takeaways6
Questions? Thank you! @Mediacurrent

Recomendados

20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)DNIF
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 

Recomendados

20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)DNIF
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate securityG3 intelligence Ltd
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareQuick Heal Technologies Ltd.
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)DNIF
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemNiran Seriki, CCISO, CISM
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Safeguarding privacy in research design
Safeguarding privacy in research designSafeguarding privacy in research design
Safeguarding privacy in research designMarlon Domingus
 

Mais conteúdo relacionado

Mais procurados

Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate securityG3 intelligence Ltd
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)DNIF
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemNiran Seriki, CCISO, CISM
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 

Mais procurados (20)

Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate security
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering SystemThe Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering System
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 

Destaque

Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Safeguarding privacy in research design
Safeguarding privacy in research designSafeguarding privacy in research design
Safeguarding privacy in research designMarlon Domingus
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Dr. Ann Cavoukian
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Amazon Web Services
 
Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Ann Wuyts
 
Top career課件
Top career課件Top career課件
Top career課件Qilian
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoEMarc Vael
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White PapaerKristyn Greenwood
 
Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World MongoDB
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignEleanor McHugh
 
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Wayne Chung
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designblogzilla
 
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo ButtiEuroPrivacy
 
Ame Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyAme Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyNEXT Conference
 

Destaque (17)

Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 
Safeguarding privacy in research design
Safeguarding privacy in research designSafeguarding privacy in research design
Safeguarding privacy in research design
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
 
Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)
 
Top career課件
Top career課件Top career課件
Top career課件
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
 
Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By Design
 
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
 
Ame Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyAme Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for Privacy
 
Data Pipeline Matters
Data Pipeline MattersData Pipeline Matters
Data Pipeline Matters
 
The AI Rush
The AI RushThe AI Rush
The AI Rush
 

Semelhante a Security by design: An Introduction to Drupal Security

<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>slideshareperson2
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguideDavid Kwak
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best PracticesRedBlackTree
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...karthikvcyber
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfKerimBozkanli
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 

Semelhante a Security by design: An Introduction to Drupal Security (20)

" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
 
<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security overview 2
Security overview 2Security overview 2
Security overview 2
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Web Security
Web SecurityWeb Security
Web Security
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 

Mais de Mediacurrent

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyMediacurrent
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdMediacurrent
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsMediacurrent
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdMediacurrent
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceMediacurrent
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldMediacurrent
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9Mediacurrent
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to KnowMediacurrent
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsMediacurrent
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyMediacurrent
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalMediacurrent
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Mediacurrent
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesMediacurrent
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownMediacurrent
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8Mediacurrent
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalMediacurrent
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesMediacurrent
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Mediacurrent
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesMediacurrent
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Mediacurrent
 

Mais de Mediacurrent (20)

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with Gatsby
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher Ed
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heights
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher Ed
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your Audience
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real World
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to Know
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web Projects
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web Strategy
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with Drupal
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 Websites
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final Showdown
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to Drupal
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best Practices
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Security by design: An Introduction to Drupal Security

  • 1. An Introduction to Drupal Security Security by Design:
  • 2. Intros Chris Teitzel @technerdteitzel /in/christeitzel Chris has been working in Drupal for almost 8 years. During that time he has worked on projects spanning the globe in front-end design, e-commerce and security. His passion is for making technology accessible to all skillsets. Founder / CEO Lockr 2
  • 3. Intros Luke Probasco Presenter Photo @geetarluke /in/lukeprobasco/ Manages Drupal business for Townsend Security. DrupalCon, Camp, and Summit speaker. Security professional. Music enthusiast. Drupal GM/Townsend Security 3
  • 4. Intros Mark Shropshire (shrop) @shrop /in/markshropshire drupal.org Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public speaking within the Drupal community. Mark is passionate about architecting systems to solve workflow problems and improve efficiencies using open source software. He is also the maintainer of the Guardr Drupal security module suite. Mediacurrent Open Source Security Lead 4
  • 5. Style Guide Contents Security by design in Drupal Encrypting sensitive data Key management (encryption & API)4 3 2 1 5 Site audit and security best practices Resources to improve security5 Style Guide6 Takeaways
  • 6. Security by design in Drupal1
  • 8. 8 Compliance, Security, and You ● Data discovery ● PCI DSS, HIPAA, GDPR, etc. ● Hosting and compliance ● See your security team for internal policies and controls Security by Design
  • 9. 9 Keep Drupal Secure ● Keep Core and contrib modules up to date ● Use Drupal API ● Use version control ● Use social and enterprise login ● Use secure passwords ● Two factor authentication ● Log and review logs (watchdog and additional contrib) ● Don’t forget about infrastructure security Security by Design
  • 10. 10 Security in Custom Modules ● Never trust user input ○ Filter plain text with check_plain() or t() ○ Filter HTML with filter_xss() ● Query properly ○ Do not concatenate values into db_query() ○ Instead use parameterized values %s %d %f %b ● Do not output db values directly (don’t trust user input) ● Protect user input - think before you save Security by Design
  • 11. Site audit and security best practices2
  • 12. 12 What is an audit? ● Review by someone not on the team ○ (internal or external) ● Review of software systems ● Review of supporting infrastructure ● Review of other related systems Site audit and security best practices
  • 13. 13 Performing an audit ● Collect data manually and with tools ○ Analyze the data ○ Prioritize findings ● Eliminate false positives ● Complete usable report(s) Site audit and security best practices
  • 14. 14 OWASP Top 10 Most Critical Web Application Security Risks ● Injection ● Weak authentication and session management ● XSS ● Insecure Direct Object References ● Security Misconfiguration ● Sensitive Data Exposure ● Missing Function Level Access Control ● Cross Site Request Forgery ● Using Components with Known Vulnerabilities ● Unvalidated Redirects and Forwards Site audit and security best practices
  • 15. 15 Drupal audit tools ● Drupal Core reports ● Site Audit ● Security Review ● Sensitive Data ● Hacked! ● Coder ● Review of site config, users, permissions, and roles ● Manual code review Site audit and security best practices
  • 17. 17 Encrypting Data in Drupal ● There is no native way to encrypt data in Drupal ● Compliance and risk management drive encryption ● Use encryption based on industry standards ● Use cryptographically strong keys - no passwords! ● See NIST Special Publication 800-57 for more info Encrypting Sensitive Data
  • 18. 18 What Encryption Should I Use? ● Use AES, RSA, Triple DES, or other standard methods ● Beware of non-standard encryption ● Example: Homomorphic Encryption ○ Has not received wide review and acceptance ○ Cannot be certified by a standards body ○ Cannot achieve FIPS 140-2 validation ○ Compliance regulations prohibit its use Encrypting Sensitive Data
  • 20. 20 McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. BankInfoSecurity.com Key Management
  • 21. 21 Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US... Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin.com Key Management
  • 22. 22 Payment Gateways Email Marketing SMTP Relays Authentication Shipping Cloud Providers Encryption APIs Key Management
  • 23. Resources to improve security5
  • 24. 24 Encryption Modules ● Encrypt ● FieldEncrypt ● Real AES ● Encrypt User ● Encrypted Files ● Webform Encrypt Resources to Improve Security
  • 25. 25 Key Management Modules ● Key ● Townsend Security Key Connection ● Lockr Resources to Improve Security
  • 26. 26 Guardr Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. https://drupal.org/project/guardr Resources to Improve Security