Web Security Basics

Hi all

Frankly I think anybody calling themselves an expert in anything is obligated to back that up in some fashion, else why listen to them? This is no less true when it comes to security matters, to the contrary listening to the wrong security advice could really get you in trouble. So, I would like you to know what my credentials are and what they are not so you know what sort of advice you are likely to see when I do this talk.

When it comes to security, I am an IT guy first and foremost. I know a lot about code-related security issues but I am most definitely not an expert at secure coding ... this is a skill that must be learned and practiced constantly, my own skills in this field go back almost 10 years and my advice would undoubtedly also be outdated with regards to a solution. To be more concrete by example, I have a complete understanding of what SQL injection is, the specific dangers in general and how they pertain to a Drupal deployment, and I even understand the general methodologies one needs to do to defend against the possibilities ... but don't ask me to supply code or even suggest an appropriate algorithm/function. Hell I can barely put together a syntactically correct SQL statement let alone worry about defending against SQL injection :-) XSRF and XSS are even harder to programmaticly defend against, the concepts didn't even exist in general security nomenclature that last time I considered myself a developer of code.

What I can say is that I have designed and managed an Application Service Provider with security requirements that exceed anything you are likely to encounter building web sites with Drupal (PHP is not appropriate language for this level of security); I've worked with unnamed three-letter organizations and other very high security deployments of many applications including CMS deployments; I've been through both deep-dive security reviews of code and of deployments (on both sides of the fence). I was the Director of Security Initiatives at Open Text when I left there 1 year ago and I cut my post-graduate teeth in computer science by helping to defend the fledgling Internet at UWO against the onslaught of students while we provisioned them with 10-BaseT connections to their dorm rooms (this was a big deal in 1995).

I know a lot about security, I know what is important and to whom; I know how to design a system so secure that it is financially infeasible to run :-) and (most relevant to this group I think) I know how to apply the appropriate security to a situation. Though I have met many security gurus that seemed incapable of understanding (or admitting) this fact, one doesn't put a bank-vault in one's basement to hold a few thousand dollars nor does one put $1million under one's mattress ... security is REALLY about risk assessment and management, unfortunately too many have seen it as only about management (because they don't know how or they can't really assess the risks).

I do not hold any current security certifications (though I've designed security workshops that provide certification), the closest I ever came to was a 1-week course in running Checkpoint's FW1 over 10 years ago (where I ended up knowing more about Checkpoint than the instructor, sigh). I'm not a big proponent of certifications, they are mostly bogus attempts at marketing (not always but more often than not). Security has always been a passion of mine, something I know and understand to be important, but it has not been my career choice and I am most definitely not an acknowledged security guru in any recognized security forum, group or organization (well, there might be a few who consider me a Livelink security expert and I will own that title).

That being said, I will try to give you a basic understanding of the landscape, and how it applies to a Drupal installation; there really are a lot of things you MUST be concerned with if you are going to be a responsible web designer/owner. I guarantee that Khalid (who unfortunately will not be with us this time around) is more of a coding expert than I and, of course, far more the Drupal security expert, but then my desire is not to do any coding but to run a secure site and to that end I think I can hold my own and give you some solid, useful, and valuable knowledge.

Sorry for the length of this post, I'm hoping it means I will not have to spend much time on this subject on the 17th and more on the point of the presentation. I hope to see you all there.

Who is the enemy, What to worry about; What not to worry about; How to monitor; Who to trust.... Security is a big topic, this is the first and most basic of them.
Hope to see you all there!

Dave Kinchlea

https://www.gatevillage.net/public/druapl-security-introduction