Home » Groups » Security Scanner Component and Best Practices

Security, this unknown

ingo86's picture
Submitted by ingo86 on Wed, 2009-03-18 18:12
·

Hey all,
I have some questions about how security vulnerabilities are researched inside the classic Drupal development plan and about where are we and where are we going, about security obviously. That's because I noticed that if someone wanna help testing Drupal for security vulnerabilities, he founds a very low number of informations, that means:
- no idea about what's already tested
- no idea about what could be useful to do

Some things obviously needs to be secret, but this level of secrecy is maybe too much.

These are just a few things I would like to know and I would like to be explained by drupal security team to everyone:
- Is core tested with third party software or is it tested manually?
- Who tests it and when into the normal release process?
- Where are we arrived doing the test of Drupal 7?
- Is it possible to create a document of the vulnerabilities that are already tested?
- Is there a direction or a plan for testing?

Thank you,
Ingo86

Groups:
Security Scanner Component and Best Practices
Login to post comments

some answers

greggles's picture
greggles - Thu, 2009-03-19 02:00

As far as I know, there is no coordinated testing of Drupal core - by the security team or otherwise. Of course, there are several companies who have scanned Drupal core on a periodic basis - mostly timed with the launch of a new major site.

Following from that, there has been no scanning/reviews that I'm aware of for Drupal7 so far. Unless someone steps forward, there likely will not be. I imagine that some companies will perform reviews, but will not necessarily publish results - it is hard to say that Drupal is "safe" when there are so many possible ways to configure it.

I think creating simpletests for specific attack vectors, and "fuzzer" types of tools like the one you did for GSoC is a great way to create a more consistent test for core.

--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book


Login to post comments

I think that...

ingo86's picture
ingo86 - Sun, 2009-03-22 18:09

I think that this group could plan something to do to test drupal. We could plan a schedule to avoid replicating scans with the same tools (so avoid replicating our work) and we could discuss better about any single vulnerability to find new way of making an exploit.
Do you agree?


Login to post comments

sure

greggles's picture
greggles - Mon, 2009-03-23 14:50

I agree with Dries from his keynote - that a community needs coordination and not necessarily "planning" but...

Let's get a list of tools to use and tasks we could be doing - from there we know what kinds of tasks to coordinate on.

--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book


Login to post comments

I agree too...

ingo86's picture
ingo86 - Mon, 2009-03-23 16:30

I agree too, I used "planning" in a wrong way. In fact I wrote that it's required to avoid duplicate scan through the same tools, that means we need coordination, not planning.

Well, we can start from a simple list of the most common vulnerabilities and write a list of tools/ways-to-find-them. I open a new wiki page for that in this group. Fell free to add or remove things.
Ingo86


Login to post comments

Assistance offered

VinceW's picture
VinceW - Wed, 2009-08-19 20:32

LS,

In addition to previous post I would like to offer my assistance, effort and a part of a module I maintain. I recently took over the security.module on drupal.org. IMO this could be a place where coordinated results of the 'todo' list could be visible to admins and/or site maintainers.

Best,
VinceW

-=[ Your Information Matters ]=-

PS: I started a group today called security. It's goal is to have drupal security related content in general. I did notice this group before in relation to the Security Scanner, but ..... became to late aware of the fact that it also had security related best practices. Hope you don't mind starting the new group.


Login to post comments

yay, but

greggles's picture
greggles - Fri, 2009-08-21 12:19

Great to see your increased attention on the topic.

But, I just denied the group. This group only has 30 members and we specifically avoided making it a generic "security" group for fear that people would report security issues in it.

--
http://growingventuresolutions.com | http://drupaldashboard.com | http://drupal.org/books


Login to post comments

I agree with you there

VinceW's picture
VinceW - Fri, 2009-08-21 17:18

I agree with you there should be only one place to report security issues and that there should be no misunderstanding about that.

IMHO it would be a benefit to the whole drupal community to have a place where security can be discussed in general without the specifics.

My original thought was to have a place on an official 'drupal.org' site. This group is primarily about Security Scanner Component. My intention is it to put drupal related security in a bigger perspective so there's some more input from admins, endusers, developers about processes, workflows, difficulty's, etc. That's why I created the group 'Security'.

The logical question then would be: what is, in your opinion, the proper place to have (in bigger perspective) security related discussions in such a matter the whole community is benefiting of it?


Login to post comments

broad group

greggles's picture
greggles - Tue, 2009-08-25 12:54

This group is about Security best practices. Read the mission statement:

This group has two major purposes:

1. Looking at the Security Scanner tool. Security scanner is a crawler and could be used to perform multiple types of scans.
2. Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

Doesn't that seem like what you want?

--
http://growingventuresolutions.com | http://drupaldashboard.com | http://drupal.org/books


Login to post comments

Seems like it....

VinceW's picture
VinceW - Tue, 2009-08-25 14:00

I'll give it a shot in a new discussion and we'll see what it's doing.
Thank you for the mentoring on this.

Back to the original topic/question/offer... Can I (the security module) be of any assistance on this?

Best,
VinceW

-=[ Your Information Matters ]=-


Login to post comments

Just to point that..

ilo - Tue, 2009-08-25 19:12

As VinceW said, the group name could lead to confusion, because even if there are two ideas in the group topic, seems to be focused on the Security scanner component, as it's in the first place. IMO the security scanner could be just a tool (one of the great vast of tools) and should not name the group at all, to avoid confusion, but discussions about it could be handled here of course. A name like "Security enthusiasts" or "Security Best Practices and tools" would not lost focus about main d.o. security group, but still keep people interested in security joining the group. I (Myself) just joined the this group because of a cross-posting request from Christefano, but I rejected to join my self the first time when I saw the group name, as I'm not interested in the security scanner component.

Just an opinion..


Login to post comments

When scanning, the group

coltrane's picture
coltrane - Tue, 2009-09-15 03:47

When scanning, the group title does seem to limit the focus of this group to one particular tool. Unless you read the mission statement it's not obvious this is the g.d.o for discussing security best practices and tools.


Login to post comments