A+ Score Configuring Drupal to Pass Penetration Tests / DrupalCon North America 2021

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right okay let's kick off then so hello everyone we are here today to talk about how you can achieve an a plus score on the mozilla observatory tool uh in order for you to help you know pass security testing i'm uh david pratt technical director at zucha alex johnston uh senior devops and drupal developer sutra as well next slide yep so um just uh taking a step back just in case you haven't uh heard of mozilla observatory before observatory is a tool which tests a website for preventative measures that you have in place against things like cross-site scripting man-in-the-middle attacks any cross-domain information leakage things like cookie and cdn compromise attacks and also things like improperly configured certificates what it does not test for are things like outdated uh software versions uh you know sql injection vulnerabilities weak password policies and things like that for those sorts of tests you need to use other tools and systems um but the mozilla observatory tool works simple enough you just go to the website stick in the url of your website or web page that you want to test then in the background it will run a load of tests and then at the end of it it will spit out a score and give you some analysis on how it has arrived at that score um and see i just say achieving an a plus score does not mean your site is secure it just means that um part of its security is you know well executed so next slide so um we thought we'd take you on a bit of a journey on this uh talk so taking you from you know the lowest possible score that you can get on residual observatory which is an f and then all the way through to getting an a plus and to do that we have created a demonstration site which you can access at drupalsecurity.com uk um so this is just you know really basic drupal site is using the amami uh drupal profile and um we've done some really basic configuration on that profile so we've added google analytics and google tag manager just so it's we've got some external resources um that we require as part of this testing and what we've also done is we've um added a cookie onto the site so that we're effectively simulated having a session because when you use them as a observer tool you can't actually you know get it to log in to simulate what an active session looks like [Music] so uh yeah moving on so this starting point that uh you have i mean you know there's no uh security certificate on there and there's no other you know hardening measures in place so you score an f and you get 0 of 100 it's not great but with some tweaks that we can make we can drastically improve the score quite quickly um yeah sure so um starting with i suppose the simplest one bit of a no-brainer um no really excuse nowadays not to have an ssl certificate but i mean we just added an ssl certificate um you can see we already jump up um up to a d um from an f which is obviously an improvement um just gives people a bit more kind of confidence in the site um and then i mean within here you can also see that simply by using https drupal has now detected that and it also sets cookies with the with the secure flag which is quite nice um kind of crosses off another issue that we were experiencing um out of the box so um yeah already have improvement to our score um another simple and then is we just forced us to sell making sure there's a standard redirect for every single request jumping into ssl and again that jumps us up to c minus already so i mean we won't go through how to issue an ssl certificate obviously but um i mean it just makes complete sense to always add it um and then moving on yeah to allow us to move through the scores and uh you know get uh hallowed a plus um we will introduce a module onto the site called um security kit so this is quite a well-established contrib module and it gives you a nice ui within drupal to control various aspects of the header options that you can tweak our advice would be to use this get this on the site as early as possible during the build as some of the options can be quite tricky to configure on an existing site yes i just figured we would kind of focus on three of the main areas of configuration these are the ones that drupal drops the most in terms of points out of the box and that allows the the score to come up to an a plus um so the first one kind of loops back into the https is enabling http hsts and you can see how simple it is configure it's three check boxes and saying a max age um this already pulls us up to b minus so getting into the realms of quite a high score already now only two areas that drupal's actually dropping points and this is just enabling it so that um i mean if you've enabled preload all browsers should know that the site has https um even before a visitor has gone to it um if you don't have preload then it means that after their first visit then the browser will never have to go through that https redirect again and it will go straight into the secure version of the site um so quite a quick and simple one there but um pulling our score right up um moving on to the second option is cross-site scripting protection this is actually a funny one because it's slowly being phased out i know for example firefox doesn't actually recognize it anymore but it doesn't mean it shouldn't be enabled the option's there and it's so easy to enable that there's no real reason not to i don't think um the idea being that you're offering security to people who maybe can't upgrade or stuck an older version um for any kind of reason so it's worth putting this option in and um yeah again that pulls a straight up to be is good um you can then see that the one area we're still dropping a lot of points is on a content security policy which is a third and definitely meatiest area content security policy header basically defines every browser basically where it can fetch any assets from it means that you can build up a list of trusted areas um trusted sources and make sure that you're only pulling in information from that if for any reason then some asset was to come on and try to load from somewhere else it's blocked um yeah i mean it makes sense but it's one of the trickiest ones to actually implement i will highlight that to get the full a plus score we have cheated slightly um drupal does have a well a bug out of the box which prevents ck editor working um without this unsafe inline flag um so we've had to do a couple of small tweaks within there to allow uh to look to not need the unsafe inline and we just did this to kind of highlight that while these are all good recommendations and give a good amount of security it is also about balance between the security and functionality these are very high level drupal does have its own security obviously built in within it um and sometimes you do have to make these sacrifices obviously you just have to weigh them up as you're going along and see what what attack vectors still exist and so on but um yeah we just thought we'd highlight that and uh yeah it's obviously in hand in this drupal issue but um yeah we're touching that too much but um moving on to configuration again you can see how easy it is so this is why we're going to bring this one up is that with selecting a few boxes again it's enabled and then i mean this is where you've built up your sources list um and you have i mean all kinds of tools that can help with building this um for example you've got this firefox add-on so it was worth having a look at that you've also got a report only mode that i'll touch on a bit later and the idea behind the report only mode is you can enable that to the towards the beginning so that you're not actually blocking any resources at the moment but just building up your list slowly making sure you're not breaking the site as you're going along if it is an existing site and then as you're seeing less breaches you can then actually disable the report only mode and start start with the higher security you can see here the kind of flags i put in for the site that we've set up and i mean you can see with that kind of simple addition we've ended up jumping all the way up to an a a plus obviously that gives us the biggest jump um we've actually ended up with a score of 110 out of 100 um basically every score on material observatory starts at 100 and then they deduct scores and there are areas you can get bonus points so that hence the higher than full score um yeah nice kind of green green area there there are some other areas in sec that we won't touch on too much but you can enable for example this referrer policy there are kind of little things you can do with public keeping but that's more on the server side um but yeah i mean that we've there achieved our goal i just wanted to touch on um the reporting side a little bit more because this is where you require it actual monitoring going forward obviously you end up with breaches and this can result this can be the result of two kind of avenues either content editor or change could be made to a site on purpose which introduces a new source or um there could be an actual issue and something's being loaded when it shouldn't be and obviously you want to be able to review those and see if there's an actual issue so you want to be able to get the reports by default drupal feeds these into the error log um we've found these quite unwieldy to look through sometimes because they're huge errors um so we've actually employed the use of sentry and there's all kinds of these services um you basically just post in a report uri and drupal then start posting the details over to these services and reporting them and by doing this we can also get emails and slack alerts and so on for each breach which is very handy um that was a kind of really quick overview of the options that we kind of always enable out of the box um got some final thoughts as dave mentioned earlier this doesn't replace sql injection vulnerabilities weak passwords so on um it's not a replacement for good code i suppose um and writing with security in mind and running your own penetration tests but it's a good start and it's making sure that you're making the use of those browser-based um those browser-based controls that are there and you might as well make use of um i also highlight that it's not the only way to implement these so there have been areas where we've implemented for example hsts at the nginx level so you can do these higher up in the stack but i mean this is very much the easiest especially if you're new to drupal and so on and wanting to get this out of box and also as dave mentioned it's really handy getting this in as early as possible during a site build meaning that you're maintaining as you're going along rather than trying in the last couple of hours before going live and building up these um lists of sources which is i mean from experience quite difficult yeah and particularly if you're using things like adsense or google tag manager where you know adsense could have you know bringing in adverts from all over the internet so like trying to stay on top of all of those domains and adding them to the content security policies content security policy is just a nightmare so what you might find is that once you've got a site that is fully tested and working when it goes live if the editor doesn't stop writing things for google tag manager or ads then other bits might break you know inadvertently just because of the nature of it um so you on the last slide there yeah so i just want to use this last slide to point some good resources out there on the topic so obviously um google has got some good stuff on there regarding um secure security in general on the fundamentals area of the website and mozilla has got some support information to the observatory tool on its website as well which gives good tips on how to improve your security posture of the headers and then of course uh osp which is one of the best resources for this type of information and yeah just to close just say that mozilla observatory is open source so you can contribute to it and you can see exactly how it's um doing its scoring and that kind of stuff so that is us bang on 15 minutes has anyone got any questions um i didn't see one question in the uh in the q a so um do you integrate any of these tools into cid.cd pipeline for analysis um we don't with mozilla observatory it's typically a tool we use um as we're building um and then obviously as a site's built we um kind of provide a report using that um we have os zap which is an automated um kind of security tester we do build that into most of our um pipelines um it basically leaves us alone as unless specific issues pop up so obviously observatory is a good kind of first level um zap we use kind of more ongoing um i'll just check um next question i think um what kind of online check you're using um again it's it's mostly observatory and zap um i mean we've had other checks obviously with some clients we use like neces for example um but yeah i mean observatory gives a lot of good recommendations especially when you're building um as to which headers to implement so it's worth taking a look at that and i think as dave mentioned the um it's open source there so you can see the checks they do um what is sentry that's a good question and we use it basically collects logs and it allows you to basically assign errors to people and can raise tickets based on those events and it's handy the csp reporting is just like another tool within there um it's just another kind of vlog it can consume yeah really useful if you're ever looking at that and tracking your errors and so on so um i mean for example you've got some alerts on fatal errors where it raises a kind of critical ticket and it helps you catch issues which aren't necessary outages that might be impacting a significant part of the site and what's also good about it is it can aggregate logs and then give you like a count on the number of events of a particular kind so you can see what um you know are the most frequently occurring logs really easily um what's the difference between this tool still apps i would say ssl labs just focuses that bit more on the ssl side i think it really comes down to probably preference um we've found this one just gives a nice clear grading system especially when providing it to kind of stakeholders in the sites i think being able to show we're a b because of this yeah it's just the one we've gone with but it doesn't necessarily mean it's still arms is worse um yeah labs is something different really isn't it i mean it's purely focused on the actual uh cryptographic chains of the certificates rather than the browser exactly and it can be very helpful in those areas yeah um essentially first is date dog we have these kind of we've generally found sentry is better for actual errors and the signing and so on um just through personal preference um we also use new relic for some clients again it comes down to preference of the clients as well um we have tried datadog we never really got along with it but i think that was probably because we had started with new relic earlier so it's just really um preference and we've we've got everything we need out of it um but yeah sentry is just having better thing for drupal errors specifically so we've stuck with that [Music] and if there's any more questions um i said noticed i think somebody asked for the slides i'll just um yeah we can share those after the presentation yeah all right yeah okay yeah i'll work out to do that and just post that in the chat afterwards but okay cool thank you everyone there's no more questions um yeah sure so i mean as dave kind of mentioned on this uh on this slide mozilla observatory is open source i mean you have the link um there and that links to the tool itself as well um we didn't really put the ones in for century it's quite quick quick from a google but i mean they were the tools you were focusing on directly but um yeah i mean it's always worth having a look as well so it's literally just century.io um i believe yeah i mean yeah so that just shows the kind of level of um century we're going to too much but you can see various errors being raised here and like your csp alert yeah let's show that quickly cool i think that's everything well yeah um i did post i think at the start we've got our drupal org names here obviously you've got contact details on the event as well so feel free to send us a message if you have any more questions you
Info
Channel: Drupal Association
Views: 51
Rating: 5 out of 5
Keywords: drupalcon, drupal
Id: VyJjUdqaGeM
Channel Id: undefined
Length: 19min 43sec (1183 seconds)
Published: Fri May 28 2021
Related Videos
A Better Experience for Content Editors / DrupalCon North America 2021
Drupal Association
301
Add a Robust Events System to Your Drupal Site in Minutes / DrupalCon North America 2021
Drupal Association
457
DrupalCon Los Angeles 2015: Angular.js with Drupal 8
Drupal Association
10K
An Iterative Approach To Decoupling Drupal Sites in Gatsby / DrupalCon North America 2021
Drupal Association
264
Accessibility Is A MovingTarget / DrupalCon North America 2021
Drupal Association
98
Inside the mind of a master procrastinator | Tim Urban
TED
44M
A Review of the Decoupled Menus Initiative at DrupalCon North America
Drupal Association
146
Approaching Developer Relations in an Open Source Community / DrupalCon North America 2021
Drupal Association
36
Don't Talk to the Police
Regent University School of Law
14M
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
How Hidden Technology Transformed Bowling
Veritasium
5.1M
Billionaire Mathematician - Numberphile
Numberphile
3.4M
HakByte: Capture Wi-Fi Passwords From Smartphones with a Half-Handshake Attack
Hak5
98K
How Radiohead Wrote the Perfect Bond Theme
Listening In
760K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.