SlideShare ist ein Scribd-Unternehmen logo

10 Ways Drupal 8 is More Secure

P
Peter

Presentation at Drupal North 2016 http://www.drupalnorth.org/en/session/10-ways-drupal-8-more-secure In a blog post last year I talked about 10 ways Drupal 8 is more secure than past versions. This talk will go into more depth and background on those points and why they matter. I will place each of the security improvements into the context of more general PHP web application security (such as which OWASP Top 10 vulnerability it relates to).

Software
1 von 39
Downloaden Sie, um offline zu lesen
10 Ways Drupal 8 is More Secure Peter M.Wolanin June 18,2016 Drupal North 2016 -Montréal
1. Twig templates used for html generation! 2. Removed PHP input filter! 3. Site configuration exportable, manageable as code! 4. User content entry and filtering improved! 5. Hardened user session and session ID handling! 6. Automated CSRF tokens via route definitions! 7. Trusted host patterns enforced for requests! 8. SQL limited to executing single statements! 9. Clickjacking protection enabled by default! 10.Core JavaScript API Compatible with CSP The 10 Ways 2
Drupal 5, 6, 7, 8 core contributor 
 drupal.org/user/49851! Drupal Security Team! Acquia Engineering! Helped implement several of the Drupal 8 features in this talk! DrupalCamp NJ organizer Who Am I? 3 https://www.drupal.org/u/pwolanin Photo by amazeelabs, by-nc-sa
https://www.owasp.org/! Has self-study materials, best practices, and cheat sheets! Software tools like the ZAP proxy ! “The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.”! Ordered by risk, not just prevalence Open Web Application Security Project (OWASP) 4
1. Injection (such as SQL, shell commands, etc)! 2. Broken Authentication and Session Management ! 3. Cross-Site Scripting (XSS)! 4. Insecure Direct Object References! 5. Security Misconfiguration! 6. Sensitive Data Exposure! 7. Missing Function Level Access Control! 8. Cross-Site Request Forgery (CSRF)! 9. Using Components with Known Vulnerabilities! 10.Unvalidated Redirects and Forwards OWASP Top Ten 5
Some of these are very broad - and the order does not match the frequency of Drupal vulns ! #5 Security Misconfiguration (including outdated software) - applies to every layer of your stack! #9 Using Components with Known Vulnerabilities - applies to every layer of your stack! Do you know if there was a vulnerability in some code you got via composer? Open Web Application Security Project (OWASP) Top Ten 6
OWASP Top Ten #3: Cross-Site Scripting (XSS)! OWASP Top Ten #1: Injection! Drupal 8 enables Twig auto-escaping - this feature went on a long and winding cycle of implementation (“string” as object, safe string list)! Twig limits the scope of functionality - can’t run SQL or arbitrary PHP in a template ! Twig is also easier to read/write for people who are not PHP coders (or really, for everyone) #1 Twig templates used for html generation 7
#1 Twig templates used for html generation 8
#1 Twig templates used for html generation 9
theme() functions deprecated and will be removed in Drupal 9 - don’t add new ones.! Theme autoescape helper function added #1 Twig templates used for html generation 10
OWASP Top Ten #1: Injection (SQL, PHP, etc)! In Drupal 7 getting access to an admin Drupal login is trivially escalated to total control of the site and a server shell! For Drupal 7, importing something like a View required importing executable PHP code #2 Removed PHP input filter and the use of PHP as a configuration import format 11
Other areas where PHP snippets might have been used in Drupal 7 including block visibility, field defaults, etc. have been removed! If you need special logic - put it in a module file in git where you can track it! #2 Removed PHP input filter and the use of PHP as a configuration import format 12
The Configuration Management Initiative (CMI)! Exported YAML files can be managed together with your code in git! Auditable history of configuration changes! Diff your active config to what’s in the codebase #3 Site configuration exportable, manageable as code, and versionable 13
14
Contributed module allows locking production configuration
 drupal.org/project/config_readonly! You can also hook into the configuration system to log each change #3 Site configuration exportable, manageable as code, and versionable 15
#4 Filtering Text http://flickr.com/photos/pinksherbet/253412963/
OWASP Top Ten #3: Cross-Site Scripting (XSS)! Integration of the editor configuration and the text filter configuration reduces the inclination to grant full HTML access! You know full HTML is the same as the ability to hijack your whole site via XSS, right? #4 User content entry and filtering improved 17
18 The corresponding HTML tag (the U tag) is added to the allowed list: Drag a new button from the available to enabled section in the editor configuration:
Core text filtering supports limiting users to using only images local to the site! Attribute filtering was a late, but important, addition (Issue #2549077, Sep 30, 2015)! Attribute filtering is important since it allows you to block various appearance tricks (e.g. SPAM text with a class making it invisible) and ajax hijacking - we blocked some of that in SA-CORE-2015-003 #4 User content entry and filtering improved 19
OWASP Top Ten #2: Broken Authentication and Session Management! Hashed session IDs in database! Mixed-mode session support removed! Leading “www.” is no longer stripped from the session cookie domain #5 Hardened user session and session ID handling 20
Drupal 7 a stolen session ID (sid or ssid) from a database dump can be used to hijack a session! This can’t happen in Drupal 8 (using core DB session handling) #5 Hardened user session and session ID handling 21
22 ! --! -- Dumping data for table `sessions`! --! ! LOCK TABLES `sessions` WRITE;! /*!40000 ALTER TABLE `sessions` DISABLE KEYS */;! ! INSERT INTO `sessions` ! VALUES ! (1,’lNeHVJs6XmKq0vew4gizoAo-_B18LA-1G_EcABK8KaI’,! ‘','127.0.0.1',1466174035,0,'');! ! INSERT INTO `sessions`! VALUES! (130,’PdV0vPyj0hOahcTq3eJQOZ1WBA-0n8BZVsxBywbkMgE',! ‘','127.0.0.1',1466174490,0,'');! ! !
23
24
OWASP Top Ten #8: Cross-Site Request Forgery (CSRF)! Very common Drupal vulnerability - a menu callback (route) does an action like unpublish or delete or comment approval on GET! Drupal 7 required custom code to add and validate a token - Drupal 8 makes it easy #6 Automated CSRF token protection in route definitions 25
#6 Automated CSRF token protection in route definitions 26 entity.shortcut.link_delete_inline:! path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline'! defaults:! _controller: 'DrupalshortcutControllerShortcutController::deleteShortcutLinkInline'! requirements:! _entity_access: 'shortcut.delete'! _csrf_token: 'TRUE'
OWASP Top Ten #5: Security Misconfiguration! Handbook page on host header spoofing: drupal.org/node/1992030! In settings.php you need to define a set of patterns and only matching hostnames are allowed when bootstrapping Drupal #7 Trusted host patterns enforced for requests 27
#7 Trusted host patterns enforced for requests 28
OWASP Top Ten #1: Injection (SQL, PHP, etc)! Drupal 6 used the PHP mysqli driver - this only allows a single statement to be sent to the DB server in each call! Drupal 7 and 8 use PDO MySQL - this allowed unlimited statements in each call to the DB server - who knew? #8 SQL limited to executing single statements 29
Why was SA-CORE-2014-05 so bad? ! Multiple vectors accessible to anonymous users! A single read query (e.g. looking up a username) could be converted into a read plus one or more inserts or updates - multiple SQL statements! This means Drupal 7 on MySQL was actually a lot more vulnerable to SQL injection than Drupal 6! #8 SQL limited to executing single statements 30
PDO MySQL limited to executing single statements via PHP flag in >= 5.6.5 or 5.5.21! Good news - that’s also in 7.40+! Required changing PHP’s PDO MySQL driver! Delimiter checking added for all Drupal 8 SQL drivers #8 SQL limited to executing single statements 31
SQL injection is still very dangerous, however - a UNION query can be used to exfiltrate data like hashed passwords or the values of variables #8 SQL limited to executing single statements 32
X-Frame-Options: SAMEORIGIN! Prevents the site from being served inside an iframe ! This blocks so-called click-jacking attacks! Prevents content hijacking via iframing! Not in OWASP Top Ten, but a favorite of independent security researchers #9 Clickjacking protection enabled by default 33
OWASP Top Ten #3: Cross-Site Scripting (XSS)! Content Security Policy v2: 
 https://www.w3.org/TR/CSP2/! Drupal 8 JS settings added to page content as JSON, not a script that’s executed! There is no inline JS in core (not supported), so all inline JS can be blocked by CSP greatly reducing the possible XSS attack surface #10 Core JavaScript API Compatible with CSP 34
#10 Core JavaScript API Compatible with CSP 35 Drupal 7 settings - inline JS in the HEAD
#10 Core JavaScript API Compatible with CSP 36 Drupal 8 settings - JSON content near the end of the body
Drupal 8 is more secure than Drupal 7 and many of the security features actually enhance DX or user experience! Drupal 8 does have possible new risks due to the inclusion of 3rd party libraries! Extensive refactoring of code to a more OO style and to use new APIs may also have introduced bugs with security impact To Sum It Up Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/ This presentation is © 2016, Acquia, Inc.
Thank you! Drupal North 2016 -Montréal How was it? -questions please.
1. Twig templates used for html generation! 2. Removed PHP input filter! 3. Site configuration exportable, manageable as code! 4. User content entry and filtering improved! 5. Hardened user session and session ID handling! 6. Automated CSRF tokens via route definitions! 7. Trusted host patterns enforced for requests! 8. SQL limited to executing single statements! 9. Clickjacking protection enabled by default! 10.Core JavaScript API Compatible with CSP The 10 Ways 39

Empfohlen

Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Hack proof your drupal site- DrupalCamp Hyderabad
Hack proof your drupal site- DrupalCamp HyderabadHack proof your drupal site- DrupalCamp Hyderabad
Hack proof your drupal site- DrupalCamp HyderabadNaveen Valecha
 
Apache Solr Changes the Way You Build Sites
Apache Solr Changes the Way You Build SitesApache Solr Changes the Way You Build Sites
Apache Solr Changes the Way You Build SitesPeter
 
Theme Kickstart
Theme KickstartTheme Kickstart
Theme KickstartPeter
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

Empfohlen

Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Hack proof your drupal site- DrupalCamp Hyderabad
Hack proof your drupal site- DrupalCamp HyderabadHack proof your drupal site- DrupalCamp Hyderabad
Hack proof your drupal site- DrupalCamp HyderabadNaveen Valecha
 
Apache Solr Changes the Way You Build Sites
Apache Solr Changes the Way You Build SitesApache Solr Changes the Way You Build Sites
Apache Solr Changes the Way You Build SitesPeter
 
Theme Kickstart
Theme KickstartTheme Kickstart
Theme KickstartPeter
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Kürzlich hochgeladen (20)

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Empfohlen

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Empfohlen (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

10 Ways Drupal 8 is More Secure

  • 1. 10 Ways Drupal 8 is More Secure Peter M.Wolanin June 18,2016 Drupal North 2016 -Montréal
  • 2. 1. Twig templates used for html generation! 2. Removed PHP input filter! 3. Site configuration exportable, manageable as code! 4. User content entry and filtering improved! 5. Hardened user session and session ID handling! 6. Automated CSRF tokens via route definitions! 7. Trusted host patterns enforced for requests! 8. SQL limited to executing single statements! 9. Clickjacking protection enabled by default! 10.Core JavaScript API Compatible with CSP The 10 Ways 2
  • 3. Drupal 5, 6, 7, 8 core contributor 
 drupal.org/user/49851! Drupal Security Team! Acquia Engineering! Helped implement several of the Drupal 8 features in this talk! DrupalCamp NJ organizer Who Am I? 3 https://www.drupal.org/u/pwolanin Photo by amazeelabs, by-nc-sa
  • 4. https://www.owasp.org/! Has self-study materials, best practices, and cheat sheets! Software tools like the ZAP proxy ! “The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.”! Ordered by risk, not just prevalence Open Web Application Security Project (OWASP) 4
  • 5. 1. Injection (such as SQL, shell commands, etc)! 2. Broken Authentication and Session Management ! 3. Cross-Site Scripting (XSS)! 4. Insecure Direct Object References! 5. Security Misconfiguration! 6. Sensitive Data Exposure! 7. Missing Function Level Access Control! 8. Cross-Site Request Forgery (CSRF)! 9. Using Components with Known Vulnerabilities! 10.Unvalidated Redirects and Forwards OWASP Top Ten 5
  • 6. Some of these are very broad - and the order does not match the frequency of Drupal vulns ! #5 Security Misconfiguration (including outdated software) - applies to every layer of your stack! #9 Using Components with Known Vulnerabilities - applies to every layer of your stack! Do you know if there was a vulnerability in some code you got via composer? Open Web Application Security Project (OWASP) Top Ten 6
  • 7. OWASP Top Ten #3: Cross-Site Scripting (XSS)! OWASP Top Ten #1: Injection! Drupal 8 enables Twig auto-escaping - this feature went on a long and winding cycle of implementation (“string” as object, safe string list)! Twig limits the scope of functionality - can’t run SQL or arbitrary PHP in a template ! Twig is also easier to read/write for people who are not PHP coders (or really, for everyone) #1 Twig templates used for html generation 7
  • 8. #1 Twig templates used for html generation 8
  • 9. #1 Twig templates used for html generation 9
  • 10. theme() functions deprecated and will be removed in Drupal 9 - don’t add new ones.! Theme autoescape helper function added #1 Twig templates used for html generation 10
  • 11. OWASP Top Ten #1: Injection (SQL, PHP, etc)! In Drupal 7 getting access to an admin Drupal login is trivially escalated to total control of the site and a server shell! For Drupal 7, importing something like a View required importing executable PHP code #2 Removed PHP input filter and the use of PHP as a configuration import format 11
  • 12. Other areas where PHP snippets might have been used in Drupal 7 including block visibility, field defaults, etc. have been removed! If you need special logic - put it in a module file in git where you can track it! #2 Removed PHP input filter and the use of PHP as a configuration import format 12
  • 13. The Configuration Management Initiative (CMI)! Exported YAML files can be managed together with your code in git! Auditable history of configuration changes! Diff your active config to what’s in the codebase #3 Site configuration exportable, manageable as code, and versionable 13
  • 14. 14
  • 15. Contributed module allows locking production configuration
 drupal.org/project/config_readonly! You can also hook into the configuration system to log each change #3 Site configuration exportable, manageable as code, and versionable 15
  • 17. OWASP Top Ten #3: Cross-Site Scripting (XSS)! Integration of the editor configuration and the text filter configuration reduces the inclination to grant full HTML access! You know full HTML is the same as the ability to hijack your whole site via XSS, right? #4 User content entry and filtering improved 17
  • 18. 18 The corresponding HTML tag (the U tag) is added to the allowed list: Drag a new button from the available to enabled section in the editor configuration:
  • 19. Core text filtering supports limiting users to using only images local to the site! Attribute filtering was a late, but important, addition (Issue #2549077, Sep 30, 2015)! Attribute filtering is important since it allows you to block various appearance tricks (e.g. SPAM text with a class making it invisible) and ajax hijacking - we blocked some of that in SA-CORE-2015-003 #4 User content entry and filtering improved 19
  • 20. OWASP Top Ten #2: Broken Authentication and Session Management! Hashed session IDs in database! Mixed-mode session support removed! Leading “www.” is no longer stripped from the session cookie domain #5 Hardened user session and session ID handling 20
  • 21. Drupal 7 a stolen session ID (sid or ssid) from a database dump can be used to hijack a session! This can’t happen in Drupal 8 (using core DB session handling) #5 Hardened user session and session ID handling 21
  • 22. 22 ! --! -- Dumping data for table `sessions`! --! ! LOCK TABLES `sessions` WRITE;! /*!40000 ALTER TABLE `sessions` DISABLE KEYS */;! ! INSERT INTO `sessions` ! VALUES ! (1,’lNeHVJs6XmKq0vew4gizoAo-_B18LA-1G_EcABK8KaI’,! ‘','127.0.0.1',1466174035,0,'');! ! INSERT INTO `sessions`! VALUES! (130,’PdV0vPyj0hOahcTq3eJQOZ1WBA-0n8BZVsxBywbkMgE',! ‘','127.0.0.1',1466174490,0,'');! ! !
  • 23. 23
  • 24. 24
  • 25. OWASP Top Ten #8: Cross-Site Request Forgery (CSRF)! Very common Drupal vulnerability - a menu callback (route) does an action like unpublish or delete or comment approval on GET! Drupal 7 required custom code to add and validate a token - Drupal 8 makes it easy #6 Automated CSRF token protection in route definitions 25
  • 26. #6 Automated CSRF token protection in route definitions 26 entity.shortcut.link_delete_inline:! path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline'! defaults:! _controller: 'DrupalshortcutControllerShortcutController::deleteShortcutLinkInline'! requirements:! _entity_access: 'shortcut.delete'! _csrf_token: 'TRUE'
  • 27. OWASP Top Ten #5: Security Misconfiguration! Handbook page on host header spoofing: drupal.org/node/1992030! In settings.php you need to define a set of patterns and only matching hostnames are allowed when bootstrapping Drupal #7 Trusted host patterns enforced for requests 27
  • 28. #7 Trusted host patterns enforced for requests 28
  • 29. OWASP Top Ten #1: Injection (SQL, PHP, etc)! Drupal 6 used the PHP mysqli driver - this only allows a single statement to be sent to the DB server in each call! Drupal 7 and 8 use PDO MySQL - this allowed unlimited statements in each call to the DB server - who knew? #8 SQL limited to executing single statements 29
  • 30. Why was SA-CORE-2014-05 so bad? ! Multiple vectors accessible to anonymous users! A single read query (e.g. looking up a username) could be converted into a read plus one or more inserts or updates - multiple SQL statements! This means Drupal 7 on MySQL was actually a lot more vulnerable to SQL injection than Drupal 6! #8 SQL limited to executing single statements 30
  • 31. PDO MySQL limited to executing single statements via PHP flag in >= 5.6.5 or 5.5.21! Good news - that’s also in 7.40+! Required changing PHP’s PDO MySQL driver! Delimiter checking added for all Drupal 8 SQL drivers #8 SQL limited to executing single statements 31
  • 32. SQL injection is still very dangerous, however - a UNION query can be used to exfiltrate data like hashed passwords or the values of variables #8 SQL limited to executing single statements 32
  • 33. X-Frame-Options: SAMEORIGIN! Prevents the site from being served inside an iframe ! This blocks so-called click-jacking attacks! Prevents content hijacking via iframing! Not in OWASP Top Ten, but a favorite of independent security researchers #9 Clickjacking protection enabled by default 33
  • 34. OWASP Top Ten #3: Cross-Site Scripting (XSS)! Content Security Policy v2: 
 https://www.w3.org/TR/CSP2/! Drupal 8 JS settings added to page content as JSON, not a script that’s executed! There is no inline JS in core (not supported), so all inline JS can be blocked by CSP greatly reducing the possible XSS attack surface #10 Core JavaScript API Compatible with CSP 34
  • 35. #10 Core JavaScript API Compatible with CSP 35 Drupal 7 settings - inline JS in the HEAD
  • 36. #10 Core JavaScript API Compatible with CSP 36 Drupal 8 settings - JSON content near the end of the body
  • 37. Drupal 8 is more secure than Drupal 7 and many of the security features actually enhance DX or user experience! Drupal 8 does have possible new risks due to the inclusion of 3rd party libraries! Extensive refactoring of code to a more OO style and to use new APIs may also have introduced bugs with security impact To Sum It Up Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/ This presentation is © 2016, Acquia, Inc.
  • 38. Thank you! Drupal North 2016 -Montréal How was it? -questions please.
  • 39. 1. Twig templates used for html generation! 2. Removed PHP input filter! 3. Site configuration exportable, manageable as code! 4. User content entry and filtering improved! 5. Hardened user session and session ID handling! 6. Automated CSRF tokens via route definitions! 7. Trusted host patterns enforced for requests! 8. SQL limited to executing single statements! 9. Clickjacking protection enabled by default! 10.Core JavaScript API Compatible with CSP The 10 Ways 39