Securing Drupal - Request for Speakers

Events happening in the community are now at Drupal community events on www.drupal.org.
robin.prieschl's picture
Posted by robin.prieschl on October 31, 2014 at 3:09am

In light of the recent Drupal Core vulnerability (https://www.drupal.org/SA-CORE-2014-005) and drupal.org's Public Service Announcement (https://www.drupal.org/PSA-2014-003) I would like to know if there is anyone would would like to speak at the Drupal Meetups about Drupal Security. This goes for both Johannesburg and Cape Town Meetups. This could be one speaker for both or separate speakers for respective regions.

Some things to cover could be:

  • Default configuration to make your Drupal installation secure.
  • Recommended modules.
  • How to keep Drupal secure (Maintenance methods, automated and other).
  • How to determine if your site has been hacked.
  • I have been hacked...what now?
  • Backup strategies.

These are some initial thoughts, if anyone has other suggestions, please add below.

Thanks

Comments

That would be a great idea

Posted by riaan burger on October 31, 2014 at 8:06am
riaan burger's picture

I find the advisory by the Drupal security team perfect. Advice for something like this should not allow for a marginal option to put one's head in a hole or for business interest to be able to argue a site's exceptionalism that is was not compromised or can be "quickly scanned" to determine if it was compromised.

Only very certain methods can be suggested. For example, running a diff on files and the database from before and after the 15th on a clean newly installed operating system. Even then, depending on data added to the database after the 15th, one would have to have a very careful audit of that data. From the simplest check on new users' roles to compromised content data.

I wonder if this shouldn't be a discussion more than a presentation. Things like backups and how a server, especially one shared with other sites, should be set up can be so diverse. For many companies this is also their secret sauce. Perhaps we can press Lee or Wayne to lead a discussion like this for us? Wayne's already in cape Town, I think, and will likely be up in Johannesburg again later, so can easily pollinate the ideas for us at two talks. I'll ask.

Feb Talk

Posted by Wayne Oliver on October 31, 2014 at 8:38am
Wayne Oliver's picture

Good morning all,

I would be more than happy to do a general security + drupal security chat / discussion / presentation. Think we really all need to focus on having a security focussed mindset when developing for a hostile environment.

I think the drupal sec team are doing a great job, but it's up to us as users to make sure we follow those advisories.

P.S. Robin - What are you doing up at 5am?

() ascii ribbon campaign - against html e-mail
/\

Great Idea!

Posted by jony_niuqiang on October 31, 2014 at 3:27pm
jony_niuqiang's picture

It sounds a great idea! As I come from China,so can you share your present slides if you who made this speech?

个人公众号:左手读写

My top tips

Posted by burningdog on October 31, 2014 at 6:08pm
burningdog's picture

My tips are:

  • all code in git. Then it's easy to see if any files have been added/updates.
  • NEVER use the php input filter. All code like that should go into a custom module, or you're doing it wrong.
  • use proper file permissions; never allow the web server to write to anything except the files folder.
  • php should have safe mode on, so that shell_exec can't run.
  • don't share passwords for an admin user, create new accounts with the administrator role rather.

But that's only a start. There are many ways to hack drupal.

Yeah,We'll to hack a drupal site too

Posted by jony_niuqiang on November 1, 2014 at 2:17am
jony_niuqiang's picture

Yeah,We'll to hack a drupal site too when we meet up.

个人公众号:左手读写

South Africa

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: