Security Audit or 3rd party Review

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
mgifford's picture
Posted by mgifford on January 26, 2009 at 3:02pm

I'm doing more and more work within the government and am running into a lot of MS IT Departments who really don't understand open source, Linux and really can't get their heads around Drupal.

I've been looking around for some reports or analysis for Drupal 6's security. There are lots of good howto's:
- http://justin.madirish.net/node/241

Nice to see Google's Radproxy as a nice evaluation tool (has anyone run that against Drupal core?):
- http://code.google.com/p/ratproxy/

Wonderful to see the security scanner component for the simple test. I have yet to install that, but assume that it requires some customization to know what to test.

However, I would like to know what 3rd party security audits might be available for Apache, PHP, MySQL, & especially Drupal. If you know of any, great! If not who would be in a good position to do them and what would it cost for the community to pay to get this done?

Think it would help dispose of a lot of the FUD that comes from Microsoft Shops that just tend to assume that their product is safe because one version was evaluated back in 2006.

Categories:

Comments

Grendel Scan

Posted by greggles on January 28, 2009 at 1:17am
greggles's picture

One tool I've used is Grendel Scan. It seems to have some false positives and false negatives, but does a pretty good job all things considered.

So far I'm not particularly impressed with results I've seen from the 3rd party testing tools. Most of them include so many false positives that they are basically useless.

--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book

knaddison blog | Morris Animal Foundation

Looks useful

Posted by mgifford on January 28, 2009 at 1:51pm
mgifford's picture

Maybe it's sufficient. I'll have to fire it up and point it to a fresh Drupal.org install.

However, I think what they were looking for was someone to run these tests, evaluate the code (at a php & javascript level) and look for possible exploits.

I have confidence in the security team in Drupal, but not sure that it's enough for a Microsoft IT shop already filled with FUD.

Mike

OpenConcept | CLF 2.0 | Podcasting

--
OpenConcept | Twitter @mgifford | Drupal Security Guide

yes, it's tough

Posted by greggles on January 28, 2009 at 4:04pm
greggles's picture

I know that different companies have hired third party audits (the Greenopolis project, for one, and I think Die Zeit as well), but I think most security companies are hesitant to say "this is safe" about an open source project. Do you have examples of companies doing that for other open source projects?

I think the total cost would be in the hundreds of thousands of dollars. It's not impossible, but if we want to raise that kind of money for an effort like this we should pin down what we want to test.

The test would have to be limited to a specific set of modules:

  • Core modules installed by default
  • Core modules commonly enabled (openid, forum, blog, poll, comment, but excluding some of the less popular like Throttle and BlogAPI)
  • 20 of the most popular contrib modules (only 10? up to 100?)
  • Specific configurations for all of the above or do we assume any combination of configurations?

--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book

knaddison blog | Morris Animal Foundation

Audits are Expensive

Posted by mgifford on January 28, 2009 at 5:36pm
mgifford's picture

Would be a matter of getting the right group of people together to contribute $10K apiece to a 3rd party evaluation. With the rise of government/business Drupal users it should be something that we could do if there is sufficient interest. Still a huge task unless you've got a group of folks who are already willing to contribute to the process.

Certainly Drupal Core should be tested. I'd argue for testing with Throttle & BlogAPI just because you'd be able to say all of Drupal Core has been tested.

Would also push for Acquia's slate of additional modules. They would certainly want to be involved in this I would assume.

Might want a few others beyond that. Would have to have a couple defined install profiles to test I would think. And a few different themes of course.

I don't know other open source projects that have done this. It's also a moving target. Although because it's so expensive I'm pretty sure that an outdated security audit will be acceptable to most.

The challenge though is more about looking at how security is managed within the community, what mechanisms are set up within the local environment and knowing that someone is watching for inappropriate behaviors.

OpenConcept | CLF 2.0 | Podcasting

--
OpenConcept | Twitter @mgifford | Drupal Security Guide

Results of the Scan

Posted by mgifford on January 28, 2009 at 5:26pm
mgifford's picture

Interesting results from the scan. Gendel is pretty easy to set up.

Interesting how it looks for backups of critical files like - http://drupal.org/user/Copy%20of

Not a security issue for Drupal as the 'Copy of' is just ignored. Doesn't look good in the scan though.

The cookie named SESS338ffb41f0808e2ff9668877c9996301 appears to be used to track session state. 
However, some duplicate cookie values were detected. If SESS338ffb41f0808e2ff9668877c9996301 is 
usedto track session state, all values supplied by the web server should be unique. Detection of duplicate 
values implies that the generation algorithm outputs predictably named cookieJar.

Have to look more at this as "If the session ID is session ID is generated in a predictable manner, an attacker could hijack legitimate sessions by guessing the session IDs of authenticated users."

The Nikto findings are mostly about just removing the default .txt files in root. That's not a big deal if you're keeping your site up-to-date. If you let your security updates lag though then you've got issues.

Like the 'Copy of' issue there are links like '/forum/viewtopic.php' that are scanned for that probably should be blocked. Not that they do anything, but it indicates to the scanner that there's a chance.

So it seems like the most critical issue this tool identified (and there were hundreds of tests) was possible issues with cookies and some false positives.

Now this is a powerful enough tool that I should really run it also as an authenticated user too to see what the results are.

Mike

OpenConcept | CLF 2.0 | Podcasting

--
OpenConcept | Twitter @mgifford | Drupal Security Guide

Great, but always...

Posted by ingo86 on January 29, 2009 at 10:51pm
ingo86's picture

Hi all, I'm finally back after a break period due to the degree and some travel.
Grendel Scan seems so good but we might remember that a tool not designed for a specific platform, like this one which is a general tool, could not be so detailed and rigorous. As m.gifford says (oh, welcome into this group!) an audit is really really expensive but we're sure that someone already done more than one security test upon Drupal, so we could assume that drupal is in part safe, but we don't know how much.
A conversation like this:
A: "Hey, Drupal is safe?"
B: "Uhmm, we're not sure."
could make more than one company scared. But what can you say about your closed source platform? What can you say about other opensource platforms? Really, there's no way to be sure about the security of this things.

However, at this time i'm looking into the new OWASP Testing Guide and I trying to make some tests upon drupal core, probably I can write a report in the next weeks. Have you already looked into this greggles?
Ingo86

Did you ever finish looking at OWASP?

Posted by batsonjay on July 6, 2009 at 10:07pm
batsonjay's picture

If so, what did you conclude?

Owasp testing guide is...

Posted by ingo86 on July 7, 2009 at 9:13am
ingo86's picture

Owasp testing guide is a really complete document. However I though it was more about testing in practice. In fact a big chapter of the document is dedicated to the security testing cycle and other theoretic things.
For every security issue you can find a dedicated subchapter, with "how to detect" and an explanation of the issue. It's a useful doc, but there're lot of tools that are not mentioned here and could help you finding vulnerability.

An impressive tool I found last month is the Joomla Security Scanner. It detects the most common security issues and it's a barrier for module developers. I would like to see how Joomla Security scanner works to include something inside our security scanner. I hope to have more time after this gSoC to work on it.

Some Joomla Security Scanning Tools

Posted by mgifford on July 7, 2009 at 3:01pm
mgifford's picture

Thought I'd do a bit of a search for this. Seems there are a couple tools for Joomla:

Though the last one is the only one associated with OWASP.

OpenConcept | CLF 2.0 | Podcasting

--
OpenConcept | Twitter @mgifford | Drupal Security Guide

Joomla Tools appears pretty simplistic

Posted by batsonjay on July 7, 2009 at 3:53pm
batsonjay's picture

I spent a couple of hours this morning reading the joomlascan source. If I'm reading it correctly (and I may be wrong; I only looked for 45 minutes), it's mostly (though not entirely) just looking at installed components (Modules, in Drupalspeak) and whether they are up to date. It does its best to detect (from the "outside" of the site) the version number of the component, and compares that to a DB (text file) of triples that equate a security vulnerability with a component version number. It gives a report of vulnerabilities - but what it's really doing is imply giving a version update report - but instead of simply saying a component is out of date, it lists the security vulnerability associated with that out-of-date module.

(Note that it does do a small handful of other things - e.g. looking at file / directory permissions on a few known locations. But I don't think this is a significant percentage of what the code does.)

(Note also that two of your tools above are the same thing: Joomla Security Scanner by d0ubl3_h3lix and OWASP Joomla Vulnerability Scanner Project.)

The Python Script does appear to look a little differently; it appears to attempt to try URLs that exhibit a vulnerability. It's not extremely well architected; The URLs are embedded in the program file, and there's little reporting available.

I've been considering whether building something "like" these makes sense - or not. I think it's desirable in general, but there's so many pitfalls it could be done badly and be a bad placebo.

Customization for Drupal

Posted by mgifford on January 30, 2009 at 2:45am
mgifford's picture

It occurred to me that it would be useful to extend the Grendel Scan application to hit places where we know there might be weaknesses. Just checking for backup files within /sites , /sites/example.com/ & /sites/example.com/files would be useful. Same with SQL.

Knowing the cURL, ImageMagic or GD are often enabled for Drupal, are there opportunities to probe for these issues from the outside? Knowing intimately what can be made more secure, can we look for possible weaknesses in Drupal in a more automated way (without providing hackers with all of the keys)..

As far as the request for Apache to have a security audit -- seems a bit silly since it drives 60% of the Internet. Same with PHP, lots of folks are looking at the fundamentals, but as always there are ways to configure them more securely.

So much of this is about establishing best practices, setting up and maintaining a good environment of techies & software.

Also for those who toss out FUD at the security of open source software, this scan is an excellent tool to check out how well fortified their website is.

Mike

ps. Thanks for the welcome Ingo86.

OpenConcept | Twitter | Podcasting

--
OpenConcept | Twitter @mgifford | Drupal Security Guide

Just to follow up

Posted by mgifford on September 28, 2010 at 4:00pm
mgifford's picture

I was looking for a report like this when I posted this issue - http://drupalsecurityreport.org

Thanks for all of the sponsors who contributed to it's development!

--
OpenConcept | Twitter @mgifford | Drupal Security Guide