A bug's life - Decoupled Drupal Security and Vulnerability Management
1.
2. Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ European
Commission
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source days (SecOSdays)
Active mentor @ Mentoring community group
TATAR BALAZS JANOS
@tatarbj
WHO AM I?
3. A bug’s life
Security awareness at work
Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
TATAR BALAZS JANOS
@tatarbj
4. SECURITY AWARENESS
Security measures at our work place
� Programs to educate employees
� DevSecOps
� Individual responsibilities for company security policies
� Measures to audit these efforts
Source: http://www.bugs.org/dream/teachers/index.html
TATAR BALAZS JANOS
@tatarbj
6. EASY-TO-IMPLEMENT STEPS
Hints for small businesses
� Using different forms of Media to reinforce the Message
� Highlight recent attacks in News
� Seek the Services of a Professional
Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
TATAR BALAZS JANOS
@tatarbj
7. Security issues are bugs
with different
severity and business
impact.
TATAR BALAZS JANOS
@tatarbj
�
8. THE BUG
Programming malfunction
� Authentication / Authorization / Data confidentiality / Data integrity
� No blaming game!
Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
TATAR BALAZS JANOS
@tatarbj
9. The Eggs
Planning and Security by Design
Source: https://pixabay.com/vectors/search/ant/
TATAR BALAZS JANOS
@tatarbj
10. PLANNING PHRASE
At the start of every IT projects
� Budgeting issues
� Continuous education
� Iterative approach
Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
TATAR BALAZS JANOS
@tatarbj
12. Is the process surrounding this feature as safe as possible?
In other words, is this a flawed process?
TATAR BALAZS JANOS
@tatarbj
�
13. If I were evil, how would I abuse this feature?
TATAR BALAZS JANOS
@tatarbj
�
14. Is the feature required to be on by default?
If so, are there limits or options that could
help reduce the risk from this feature?
TATAR BALAZS JANOS
@tatarbj
�
15. SECURITY PRINCIPLES I.
First and second-parties
� Minimize attack surface area
� Establish secure defaults
� Least privilege
� Defense in depth
� Fail securely
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATAR BALAZS JANOS
@tatarbj
17. The Caterpillar
Development iterations until the first release
TATAR BALAZS JANOS
@tatarbj
Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
18. Stakeholders’ knowledge of
basic principles and how they
may be implemented in
software product is vital to
software security.
TATAR BALAZS JANOS
@tatarbj
⚠
19. THE BASIC SKILLS
The secure mind-set
� Protection from disclosure/alteration/destruction
� Rights and privileges belonging to the requester
� Ability to build historical evidence
� Management of configuration, sessions and
errors/exceptions
Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
TATAR BALAZS JANOS
@tatarbj
20. APPLICATION LEVEL SECURITY
Protection of your application
� Sanitize inputs at the client side and server side
� Verify file upload functionality
� Use only current encryption and hashing algorithms
� Check the randomness of the session
� Make sure third party libraries are secured
� Set strong password policy
Source: https://www.pinterest.com/pin/67554063138904545
TATAR BALAZS JANOS
@tatarbj
21. INFRASTRUCTURE LEVEL SECURITY
Protection of your host
� Use HTTPS for domain entries
� Do not allow for directory listing
� Use TLS not SSL
� Hide web server information
Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
TATAR BALAZS JANOS
@tatarbj
22. WEB SECURITY PRACTICES
Protection of your users
� Encode request/response
� Do not store sensitive data inside cookies
� Set secure and HttpOnly flags in cookies
� Do not store sensitive information in a form’s hidden
fields
� Set secure response headers
Source: https://www.pexels.com/photo/bee-hiding-1244184/
TATAR BALAZS JANOS
@tatarbj
23. The Chrysalis
First releases of the application
TATAR BALAZS JANOS
@tatarbj
Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
24. VULNERABILITY ASSESSMENT
Forest of the false positive issues
� Environmental conditions
� Scanning of the application / infrastructure
� Iterative approach to improve findings
� Asset management
Source: https://99px.ru/avatari_vkontakte/10916/
TATAR BALAZS JANOS
@tatarbj
25. SECURITY ASSESSMENT
VA + manual verification
� Looking to gain a broad coverage of the systems under
test
� No exploitation of vulnerabilities
� Verification by authorized access
� Examining logs, system responses,
� error messages, code, etc…
Source: https://masterok.livejournal.com/4202997.html
TATAR BALAZS JANOS
@tatarbj
27. SECURITY AUDIT
VA + SA + Pentest
� Driven by a risk function to look at specific compliance issues
� Combination of different approaches
� Characterized by a narrow scope
Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
TATAR BALAZS JANOS
@tatarbj
28. SECURITY REVIEW
And something else then before
� Verification that industry or internal
security standards have been applied
� Gap analysis, review of design documents
and architecture diagrams
� Activity that does not utilize any of
VA, SA, Pentest or Security audit approaches
Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
TATAR BALAZS JANOS
@tatarbj
29. The Butterfly
Maintenance releases and activities
TATAR BALAZS JANOS
@tatarbj
Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
35. TRUSTED SOURCES
Monitor regularly
� Vendors, third party providers
� National Vulnerability Database (NVD)
� Common Vulnerabilities and Exposures (CVE)
� ... and the Drupal Security Team!
Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
TATAR BALAZS JANOS
@tatarbj
37. WHO AND HOW?
Difficulties and authentication
� Access complexity
� None (AC:N)
� Basic (AC:B)
� Complex (AC:C)
Source: https://mymodernmet.com/adam-gor-butterfly-photography/
TATAR BALAZS JANOS
@tatarbj
� Authentication
� None (A:N)
� User (A:U)
� Admin (A:A)
38. THE PILLARS OF INFORMATION SECURITY
The measurable elements
� Confidentiality impact
� All (CI:A)
� Some (CI:S)
� None (CI:N)
Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
TATAR BALAZS JANOS
@tatarbj
� Integrity impact
� All (II:A)
� Some (II:S)
� None (II:N)
40. CONDITIONS OF THE SURFACE
How does the application have to behave?
� Exploit (zero-day impact)
� Exploit (E:E)
� Proof (E:P)
� Theoretical (E:T)
Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
TATAR BALAZS JANOS
@tatarbj
� Target distribution
� All (TD:A)
� Default (TD:D)
� Uncommon (TD:U)
41. SecOSdays
25-26 October 2019 – Sofia, Bulgaria
https://secosday.eu
TATAR BALAZS JANOS
@tatarbj
Call For Sessions and Sponsors are
open!
In 100 days!!!
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.