SlideShare ist ein Scribd-Unternehmen logo

A bug's life - Drupal Application Security and Vulnerability Management

Als PPTX, PDF herunterladen
Balázs Tatár
Balázs Tatár

This session has been given at Drupal DevDays Transylvania in Cluj, Romania, 12 June 2019.

Technologie
1 von 43
A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
The three pillars Information security Tatar Balazs Janos @tatarbj
Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
Questions? Tatar Balazs Janos @tatarbj
Thank you! Tatar Balazs Janos @tatarbj

Empfohlen

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Bug bounty
Bug bountyBug bounty
Bug bountyRamin Farajpour Cami
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 

Empfohlen

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Bug bounty
Bug bountyBug bounty
Bug bountyRamin Farajpour Cami
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Bug Bounty
Bug BountyBug Bounty
Bug BountyHariprasad KA
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 
Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 

Was ist angesagt? (20)

OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Bug Bounty
Bug BountyBug Bounty
Bug Bounty
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
 

Ähnlich wie A bug's life - Drupal Application Security and Vulnerability Management

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET Journal
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...apidays
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 

Ähnlich wie A bug's life - Drupal Application Security and Vulnerability Management (20)

Butler
ButlerButler
Butler
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Butler
ButlerButler
Butler
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
Penetration testing by Burpsuite
Penetration testing by BurpsuitePenetration testing by Burpsuite
Penetration testing by Burpsuite
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 

Mehr von Balázs Tatár

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019Balázs Tatár
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Balázs Tatár
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Balázs Tatár
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Balázs Tatár
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesBalázs Tatár
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Balázs Tatár
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Balázs Tatár
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyBalázs Tatár
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!Balázs Tatár
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!Balázs Tatár
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practiceBalázs Tatár
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITBalázs Tatár
 

Mehr von Balázs Tatár (20)

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slides
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practice
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGIT
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

A bug's life - Drupal Application Security and Vulnerability Management

  • 1. A bug’s life Drupal Application Security and Vulnerability Management Tatar Balazs Janos - @tatarbj
  • 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source dayTatar Balazs Janos @tatarbj WHO AM I?
  • 3. A bug’s life Security awareness at work Tatar Balazs Janos @tatarbj Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/
  • 4. SECURITY AWARENESS Security measures at our work place Programs to educate employees Individual responsibilities for company security policies Measures to audit these efforts Tatar Balazs Janos @tatarbj Source: http://www.bugs.org/dream/teachers/index.html
  • 5. ORGANISATIONAL STRUCTURES Top-down approach Creating security policies Assessing your company’s vulnerabilities Investing in security technologies Tatar Balazs Janos @tatarbj Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/
  • 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses Using different forms of Media to reinforce the Message Highlight recent attacks in News Seek the Services of a Professional Tatar Balazs Janos @tatarbj Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters
  • 7. Security issues are bugs with different severity and business impact. Tatar Balazs Janos @tatarbj
  • 8. The bug Programming malfunction Authentication / Authorization / Data confidentiality / Data integrity No blaming game! Tatar Balazs Janos @tatarbj Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/
  • 9. The Eggs Planning and Security by Design Tatar Balazs Janos @tatarbj Source: https://pixabay.com/vectors/search/ant/
  • 10. PLANNING PHRASE At the start of every IT projects Budgeting issues Continuous education Iterative approach Tatar Balazs Janos @tatarbj Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/
  • 11. THINKING EVIL™ Method by Andrew van der Stock Tatar Balazs Janos @tatarbj
  • 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? Tatar Balazs Janos @tatarbj
  • 13. If I were evil, how would I abuse this feature? Tatar Balazs Janos @tatarbj
  • 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Tatar Balazs Janos @tatarbj
  • 15. SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj SECURITY PRINCIPLES I. First and second-parties Minimize attack surface area Establish secure defaults Least privilege Defense in depth Fail securely Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 16. SECURITY PRINCIPLES II. Third-parties Don’t trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly Tatar Balazs Janos @tatarbj Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/
  • 17. The Caterpillar Development iterations until the first release Tatar Balazs Janos @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
  • 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. Tatar Balazs Janos @tatarbj
  • 19. THE BASIC SKILLS The secure mind-set Protection from disclosure/alteration/destruction Rights and privileges belonging to the requester Ability to build historical evidence Management of configuration, sessions and errors/exceptions Tatar Balazs Janos @tatarbj Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata
  • 20. APPLICATION LEVEL SECURITY Protection of your application Sanitize inputs at the client side and server side Verify file upload functionality Use only current encryption and hashing algorithms Check the randomness of the session Make sure third party libraries are secured Set strong password policy Tatar Balazs Janos @tatarbj Source: https://www.pinterest.com/pin/67554063138904545
  • 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host Use HTTPS for domain entries Do not allow for directory listing Use TLS not SSL Hide web server information Tatar Balazs Janos @tatarbj Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow
  • 22. WEB SECURITY PRACTICES Protection of your users Encode request/response Do not store sensitive data inside cookies Set secure and HttpOnly flags in cookies Do not store sensitive information in a form’s hidden fields Set secure response headers Tatar Balazs Janos @tatarbj Source: https://www.pexels.com/photo/bee-hiding-1244184/
  • 23. The Chrysalis First releases of the application Tatar Balazs Janos @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
  • 24. VULNERABILITY ASSESSMENT Forest of the false positive issues Environmental conditions Scanning of the application / infrastructure Iterative approach to improve findings Asset management Tatar Balazs Janos @tatarbj Source: https://99px.ru/avatari_vkontakte/10916/
  • 25. SECURITY ASSESSMENT VA + manual verification Looking to gain a broad coverage of the systems under test No exploitation of vulnerabilities Verification by authorized access Examining logs, system responses, error messages, code, etc… Tatar Balazs Janos @tatarbj Source: https://masterok.livejournal.com/4202997.html
  • 26. Penetration tests simulate attacks by malicious parties. Tatar Balazs Janos @tatarbj
  • 27. SECURITY AUDIT VA + SA + Pentest Driven by a risk function to look at specific compliance issues Combination of different approaches Characterized by a narrow scope Tatar Balazs Janos @tatarbj Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/
  • 28. SECURITY REVIEW And something else then before Verification that industry or internal security standards have been applied Gap analysis, review of design documents and architecture diagrams Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Tatar Balazs Janos @tatarbj Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html
  • 29. The Butterfly Maintenance releases and activities Tatar Balazs Janos @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
  • 30. The three pillars Information security Tatar Balazs Janos @tatarbj
  • 31. Confidentiality: only allow access to data for which the user is permitted Tatar Balazs Janos @tatarbj
  • 32. Integrity: ensure data is not tampered or altered by unauthorized users Tatar Balazs Janos @tatarbj
  • 33. Availability: ensure systems and data are available to authorized users when they need it Tatar Balazs Janos @tatarbj
  • 34. VULNERABILITY MANAGEMENT Iterative identification Evolutive and corrective maintenance Detection Reporting Remediation Necessary mitigation vs. what-if cases Tatar Balazs Janos @tatarbj Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120
  • 35. TRUSTED SOURCES Monitor regularly Vendors, third party providers National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) ... and the Drupal Security Team! Tatar Balazs Janos @tatarbj Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/
  • 36. Drupal Vulnerability Management The tale behind the codes Tatar Balazs Janos @tatarbj
  • 37. WHO AND HOW? Difficulties and authentication Access complexity None (AC:N) Basic (AC:B) Complex (AC:C) Authentication None (A:N) User (A:U) Admin (A:A) Tatar Balazs Janos @tatarbj Source: https://mymodernmet.com/adam-gor-butterfly-photography/
  • 38. THE PILLARS OF INFORMATION SECURITY The measurable elements Confidentiality impact All (CI:A) Some (CI:S) None (CI:N) Integrity impact All (II:A) Some (II:S) None (II:N) Tatar Balazs Janos @tatarbj Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper
  • 39. Availability impact is out of the scope of Drupal VM. Tatar Balazs Janos @tatarbj
  • 40. CONDITIONS OF THE SURFACE How does the application have to behave? Exploit (zero-day impact) Exploit (E:E) Proof (E:P) Theoretical (E:T) Target distribution All (TD:A) Default (TD:D) Uncommon (TD:U) Tatar Balazs Janos @tatarbj Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg
  • 41. SecOSdays 25-26 October, 2019 – Sofia, Bulgaria Call For Sessions and Sponsors are open! Tatar Balazs Janos @tatarbj
  • 43. Thank you! Tatar Balazs Janos @tatarbj

Hinweis der Redaktion

  1. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  2. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  3. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.