SlideShare ist ein Scribd-Unternehmen logo

Mnescot cms security

Als PPTX, PDF herunterladen
M
mnescot
Technologie
1 von 33
Start
Establishing IT Security Credibility & Expertise
But seriously…
CMS Security and Federal IT Requirements: Drupal vs. The Field Mike Nescot, JBS International
http://drupal.jbsinternational.com
Marketing Drupal
CMS Security: Expanding Complexity
CMS Security: Expanding Complexity
Comparison • Drupal (http://drupal.org) • Joomla (http://joomla.org) • WordPress (http://wordpress.org) • Liferay (http://liferay.org) • SharePoint (http://sharepoint.org)
Comparison Points • Code Repository • API Security • Security Management Model • Security Controls and Tools: FISMA
Repository • Drupal: Open Source, GIT, drupal.org • Joomla: Open Source, GIT, GitHub • Word Press: Open Source, git mirror of SVN on wordpress.org • SharePoint: Closed source, ?, TFS • Liferay: Open source community edition, GIT, GitHub
FreeBSD Compromise vs. Linux Kernel.org Compromise
API • Drupal: PHP, Procedural hook system > modularity: PSR2/Symfony • Joomla: PHP, design patterns-based, OO, MVC • WordPress: PHP, hook system (actions & filters) • SharePoint: #NET, server and client object model > app model & REST • Liferay: Java, JVM, internal and external api, portet, MVC portlet, JSF
API Security • Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig • Joomla: Filters (JRequest, JFactory::getDBO()) • WordPress: Filters (wp_filter_kses(),$wbdp) • Liferay: Security Manager: Portal Access Control List (PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity • SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
• Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation • Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal • Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS • SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow • Liferay (3): access bypass, XSS, DoS, directory traversal Vulnerabilities: NVD (3 years: high/medium)
WordPress Plugin Vulnerabilities • http://www.eweek.com/security/popular- wordpress-plugins-vulnerable-to-attack- checkmarx-research/
Security Mangement • Drupal: Security Team: Resolve issues, assist module maintainers, documentation, responsible disclosure, secure coding guide, full project review • Joomla: Joomla Security Team: vulnerable extension list, secure coding guide • WordPress: laissez-faire, data validation guide • SharePoint: Service packs, app review • Liferay: Security team (focused on core), open app marketplace
Open Source Community & Competition • Drupal and WordPress • Ease of Use vs. Power • Good Enough, Means to an End • Object-Oriented = Harder to Use • Risk Management Trade-Offs
Security Tools & Controls (FISMA) • Roles & Permissions (Access Controls) • Federated Identity & Multi-Factor Authentication • Vulnerability Assessment • Hardening • Continuous Monitoring • Hosting Platform & Environment
Roles & Permissions • Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB) • Joomla: Frontend & backend groups, administration area • WordPress: Roles and capabilities, admin area • SharePoint: SharePoint groups and roles, mapped to AD groups, site collection admins, elevated privileges • Liferay: Granular system built on JSR-286
Federated Identity & Multi-Factor Authentication • Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV • Joomla: OpenID, Oauth, SAML, yubikey, smartcards • Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo • Sharepoint: AD, LDAP, AD LDS, ADFS, claims- based identity, membership provider (AD) • Liferay: SSO (LDAP, OpenAM), OpenID
Vulnerability Assessment • Drupal: security review, coder/secure code review, dpscan • Joomla: Joomla OWASP scanner • WordPress: WP Security Scan • SharePoint: SharePoint Security Scanner • Liferay: Standard tools
Hardening • Drupal: Hardened Drupal, Guardr • Joomla: jHackGuard • WordPress: Integrated security plugins(Better WPSecurity, BulletProof Security), Secure WordPress • SharePoint: Secure installation: Kerberos • Liferay: Manual config guide • All: Environment-specific controls
Continuous Monitoring • Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash • Joomla: Jlog > syslog, commercial monitoring • WordPress: Integrated packages, commercial monitoring • SharePoint: Microsoft System Center, commercial packages • Liferay: Audit EE: DB or log4j > syslog
Hosting Platform & Environment • Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3 • Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3 • WordPress: LAMP: PHP 5.2, MySQL • SharePoint: Windows, IIS,SQL Server, Office 365 (FISMA cert), Azure, AWS, Rackspace • Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic JDBC(MySQL/Postgres) • Everything: > cloud (AWS, OpenStack,FedRamp),private cloud, SLA
D.Org Security Incident • Drupal.org compromised • Sophisticated DevOps Mgt • Third-party software breached: undisclosed
You Never Walk Alone With Drupal
Security Ninja
Thank You!!! Comments, Questions, Criticism? mnescot@jbsinternational.com http://drupal.jbsinternational.com

Empfohlen

Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
mnescot
 
Drupal sec
Drupal secDrupal sec
Drupal sec
mnescot
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
RF Studio
 
Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the Ugly
Michael Reynolds
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander Obozinskiy
Ruby Meditation
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 

Empfohlen

Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
mnescot
 
Drupal sec
Drupal secDrupal sec
Drupal sec
mnescot
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
RF Studio
 
Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the Ugly
Michael Reynolds
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander Obozinskiy
Ruby Meditation
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
Anton Dedov
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 Security
Ville Säävuori
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates
 
What's up with Drupal 7?
What's up with Drupal 7?What's up with Drupal 7?
What's up with Drupal 7?
Gábor Hojtsy
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
Trivadis
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
Shrivatsa Upadhye
 
Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Drupal Introduction - Why enterprises should use it
Drupal Introduction - Why enterprises should use itDrupal Introduction - Why enterprises should use it
Drupal Introduction - Why enterprises should use it
Manish Garg
 

Weitere ähnliche Inhalte

Was ist angesagt?

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 

Was ist angesagt? (18)

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
HTML5 Security
HTML5 SecurityHTML5 Security
HTML5 Security
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
What's up with Drupal 7?
What's up with Drupal 7?What's up with Drupal 7?
What's up with Drupal 7?
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 
Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
 

Ähnlich wie Mnescot cms security

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
PROIDEA
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
Niel Dunnage
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill Chain
Muhammad Sahputra
 

Ähnlich wie Mnescot cms security (20)

Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Drupal Introduction - Why enterprises should use it
Drupal Introduction - Why enterprises should use itDrupal Introduction - Why enterprises should use it
Drupal Introduction - Why enterprises should use it
 
Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Labeling the virus share malware dataset lessons learned
Labeling the virus share malware dataset lessons learnedLabeling the virus share malware dataset lessons learned
Labeling the virus share malware dataset lessons learned
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Bi with apache hadoop(en)
Bi with apache hadoop(en)Bi with apache hadoop(en)
Bi with apache hadoop(en)
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill Chain
 

Kürzlich hochgeladen

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Mnescot cms security

  • 3.
  • 5. CMS Security and Federal IT Requirements: Drupal vs. The Field Mike Nescot, JBS International
  • 10. Comparison • Drupal (http://drupal.org) • Joomla (http://joomla.org) • WordPress (http://wordpress.org) • Liferay (http://liferay.org) • SharePoint (http://sharepoint.org)
  • 11. Comparison Points • Code Repository • API Security • Security Management Model • Security Controls and Tools: FISMA
  • 12. Repository • Drupal: Open Source, GIT, drupal.org • Joomla: Open Source, GIT, GitHub • Word Press: Open Source, git mirror of SVN on wordpress.org • SharePoint: Closed source, ?, TFS • Liferay: Open source community edition, GIT, GitHub
  • 14. API • Drupal: PHP, Procedural hook system > modularity: PSR2/Symfony • Joomla: PHP, design patterns-based, OO, MVC • WordPress: PHP, hook system (actions & filters) • SharePoint: #NET, server and client object model > app model & REST • Liferay: Java, JVM, internal and external api, portet, MVC portlet, JSF
  • 15. API Security • Drupal: Input filters (t(), check_plain, filter_xss, db_query); entities; form tokens; auth cookies; password hashing & salting (SHA512),Twig • Joomla: Filters (JRequest, JFactory::getDBO()) • WordPress: Filters (wp_filter_kses(),$wbdp) • Liferay: Security Manager: Portal Access Control List (PACL), AntiSamy Hook (OWASP), DB Service Builder, Velocity • SharePoint: SharePoint Object Model, # Net HTTP Validation, Apps, Master Pages
  • 16. • Drupal (192): XSS, script insertion, SQL injection, access bypass, file upload, code execution, CRSF, DoS, privilege escalation • Joomla (171): SQL injection, XSS, file inclusion, information disclosure, code execution, file upload, directory traversal • Word Press (233): file upload, SQL injection, XSS, CSRF, information disclosure, access bypass, DoS • SharePoint (27): access bypass, XSS, object code execution, DoS, buffer overflow • Liferay (3): access bypass, XSS, DoS, directory traversal Vulnerabilities: NVD (3 years: high/medium)
  • 17. WordPress Plugin Vulnerabilities • http://www.eweek.com/security/popular- wordpress-plugins-vulnerable-to-attack- checkmarx-research/
  • 18. Security Mangement • Drupal: Security Team: Resolve issues, assist module maintainers, documentation, responsible disclosure, secure coding guide, full project review • Joomla: Joomla Security Team: vulnerable extension list, secure coding guide • WordPress: laissez-faire, data validation guide • SharePoint: Service packs, app review • Liferay: Security team (focused on core), open app marketplace
  • 19. Open Source Community & Competition • Drupal and WordPress • Ease of Use vs. Power • Good Enough, Means to an End • Object-Oriented = Harder to Use • Risk Management Trade-Offs
  • 20. Security Tools & Controls (FISMA) • Roles & Permissions (Access Controls) • Federated Identity & Multi-Factor Authentication • Vulnerability Assessment • Hardening • Continuous Monitoring • Hosting Platform & Environment
  • 21. Roles & Permissions • Drupal: Granular, flexible security permissions matrix; easy to create new roles and permissions; complex( distributions & mods:OA, WB) • Joomla: Frontend & backend groups, administration area • WordPress: Roles and capabilities, admin area • SharePoint: SharePoint groups and roles, mapped to AD groups, site collection admins, elevated privileges • Liferay: Granular system built on JSR-286
  • 22. Federated Identity & Multi-Factor Authentication • Drupal: OpenID, Oauth, LDAP, Google Authenticator, TFA/SMS, YubiKey, Duo, wikid, SAML: NIH Login, CAS: OMB MAX, PIV • Joomla: OpenID, Oauth, SAML, yubikey, smartcards • Wordpress: OpenID, Oauth, LDAP, SAML, SMS, Duo • Sharepoint: AD, LDAP, AD LDS, ADFS, claims- based identity, membership provider (AD) • Liferay: SSO (LDAP, OpenAM), OpenID
  • 23.
  • 24. Vulnerability Assessment • Drupal: security review, coder/secure code review, dpscan • Joomla: Joomla OWASP scanner • WordPress: WP Security Scan • SharePoint: SharePoint Security Scanner • Liferay: Standard tools
  • 25. Hardening • Drupal: Hardened Drupal, Guardr • Joomla: jHackGuard • WordPress: Integrated security plugins(Better WPSecurity, BulletProof Security), Secure WordPress • SharePoint: Secure installation: Kerberos • Liferay: Manual config guide • All: Environment-specific controls
  • 26. Continuous Monitoring • Drupal: Nagios; SIEM (OSSIM); Watchdog: dblog, MongoDB syslog; logstash • Joomla: Jlog > syslog, commercial monitoring • WordPress: Integrated packages, commercial monitoring • SharePoint: Microsoft System Center, commercial packages • Liferay: Audit EE: DB or log4j > syslog
  • 27. Hosting Platform & Environment • Drupal: LAMP: Apache/Nginx/IIS, Mysql/Maria/PostgreSQL/MSSQL/Oracle, PHP 5.3 • Joomla: LAMP: Apache/Nginx/IIS, MySQL/PostgreSQL/MSSQL, PHP 5.3 • WordPress: LAMP: PHP 5.2, MySQL • SharePoint: Windows, IIS,SQL Server, Office 365 (FISMA cert), Azure, AWS, Rackspace • Liferay: JVM, Tomcat/Glassfish/JBoss/Weblogic JDBC(MySQL/Postgres) • Everything: > cloud (AWS, OpenStack,FedRamp),private cloud, SLA
  • 28. D.Org Security Incident • Drupal.org compromised • Sophisticated DevOps Mgt • Third-party software breached: undisclosed
  • 29.
  • 30. You Never Walk Alone With Drupal
  • 32.
  • 33. Thank You!!! Comments, Questions, Criticism? mnescot@jbsinternational.com http://drupal.jbsinternational.com