security

We are driving ourselves crazy, folks. Choosing modules is really hard. And it's only getting harder on enterprise Drupal sites (and enterprise just means big teams and with big sites with big requirements).

A recent conversation on twitter started by Drupal rock star Katherine Bailey shows how module selection on a big site can drive you crazy:

So, today I'm going to lay out some ideas I've found for reducing the madness: choosing good modules both as an individual and as a member of an enterprise Drupal site. Of course the enterprise practices build on the set of guidelines for an individual site builder. I'd love to get feedback on other techniques people have used for module selection in big team, big site, enterprise environments.

Module selection best practices

1. First, identify your need and try to be as generic as possible. If you say "Building an event system" you may skew your results toward the Event module when what you really need is some combination of Date, Calendar, Views, and Signup.
2. Next, search around for modules that match what you need and look for recipes and tips from blogs or groups.drupal.org. This is often where you will find great advice on which is the best module to choose. Try the similar module review group which is an amazing resource.

Recently our company worked with partners and sponsors to create a thoroughly researched, high quality document about the state of security in the open source Drupal project. You can download the report from DrupalSecurityReport.org, but right now I want to talk about the motivations, the audience, and the funding model behind the report because we feel that we've solved a tricky problem: funding expensive work in an easily copied medium (PDF downloads). We decided to try a variation on Techdirt's strategy to "Connect with Fans and give them a Reason to Buy".

This report was something that my colleague Ben Jeavons and I had wanted to do for a long time, but we couldn't fund it entirely from our own company resources. The target audience for the report is people who are considering Drupal and we didn't feel that they would be willing to spend money purchasing the report.

Connect with Fans

Fortunately, we have built up an audience among people interested in Drupal Security. Last fall I did a security webinar for a few hundred folks leveraging Acquia's webinars. Our blogs are directly read by a few thousand people interested in Drupal and are syndicated to over 20,000 readers readers interested in the topic. We've also done several presentations on Drupal security.

So, with a purpose and some fans in tow, we turned to business contacts we've made over the years to see if they could help with funding.

Reason to Sponsor

Based on discussions with them, our sponsors were motivated to sponsor the report based on three major ideas (and one sub-idea).

1. They sell Drupal in the enterprise space and are often confronted with questions about security and don't have a good answer. They wanted something they could point to.

Carl, Ezra, Lisa, and I will be at DrupalCon Copenhagen later this month. We're giving a handful of sessions and running a training. So, if you're in Copenhagen on August 23rd and interested in getting security training, for identifying and fixing common security risks on your site, join us! Check out Security: Process, code & hands-on training to signup.

Our Sessions at Drupalcon

• The Future of Drupal.org
• Theme Preprocess Functions: an Introduction
• On the Importance of Done: Drupal & Scrum at the Economist
• Views: The Key to the Drupal Castle
• Drupal Security - Configuration & Process

Drupal Security Paper update

Last week we published a minor update to the Drupal Security Paper, a report on the state of Drupal security and how it addresses security risks and concerns. We expanded some of the Security Advisory analysis data and made a few minor corrections. If you have not read it, now is a great time to take a few minutes and give it a read.

Last week at DrupalCon SF we released the Drupal Security White Paper on drupalsecurityreport.org. The paper has been under development for the last several months and we worked hard to complete it in time for DrupalCon.

Addressing ongoing questions about Drupal security, the paper analyzes the Security Team's Security Advisories and discusses how Drupal 6 and 7 address common and critical security risks, including those of the OWASP Top Ten.

We couldn't have done it without the help of our sponsors, including Cydeck and Examiner.com among others, and without the help of our reviewers. Thank you!

If you're evaluating Drupal for use on your site, this report is for you. Or, if you're just curious to know more about Drupal and how it addresses security risks please give it a read.

DrupalCons are great for learning new things and the conference in San Francisco this April will be no different. What will be different is that this year there are formalized training sessions happening the day before the conference really starts. If you want to get a more structured day of training before the somewhat unpredictable sessions start, you can.

Training sessions from GVS: Security and Site Building

The team at GVS is teaching two training courses and offering a handful of sessions. Our security training course was just increased to hold more participants and our course on site building is also looking to fill up. If you're interested in either please sign up soon!

GVS Proposed Sessions for Drupalcon

Session voting just started and we've proposed a variety of sessions, including training, module maintenance, using theme preprocess functions, and site-building. Here's the full list:

• Security for site admins
• Security for coders/themers (including how to "hack" a site)
• Module building workshop
• Theme preprocess functions
• Recipes and best practices for beginners

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

• Insecure file system permissions
• Insecure input formats
• Dangerous code in nodes and comments
• Printed errors
• Private files directory not set outside the web root
• Dangerous allowed upload extensions
• Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

When a form protected by spam prevention measures such as captcha or Mollom is submitted with drupal_execute, validation can fail unless the spam protection is properly suppressed.

This blog post describes the background and solution to a bug that previously existed in the Signup Integration for Ubercart module (uc_signup), and explains the techniques used to fix the bug. It is written with developers and aspiring developers in mind, though other people interested in how Drupal works might also find it interesting.

drupal_execute is a function often used in data imports that allows a developer to take a collection of form values and submit them programatically.
A main reason to use drupal_execute over another technique such as user_save() is that with drupal_execute, Drupal calls the validation and submission functions for the form.

The Context: How uc_signup Uses drupal_execute

In the Signup integration for Ubercart module, we sometimes create a new user account and populate the user's profile with data that was submitted on a form separate from the core user profile form. In earlier versions of uc_signup, we created the new account with user_save, however this allowed crafty users to leave required fields blank by skipping the form and proceeding to checkout, so we switched to drupal_execute which ensures that the form's validation gets executed.

The Problem

The drupal_execute function is relatively easy to use -- just pass in the form_id and form values you'd like to submit to the form.

However, we soon got a bug report with one user reporting a validation error at the time that the new user account is saved, with the captcha module enabled for the user registration form.

Web Application Security is a growing interest for me. Some activities I attended last week seem to show that it's a growing interest in general. Last Wednesday night the OWASP Denver chapter hosted a meeting about about 50 people at Raytheon Polar Services in Southeast Denver. After the free pizza and administrivia, the meat of the presentation was from the two major developers of Grendel Scan.

The Open Web Application Security Project - Denver

As chapter organizer David Campbell said, OWASP could also stand for Owning Web Applications while Sipping Pints. All I can say is that if you're a developer you should go to at least one OWASP meeting. You'll learn enough that you'll be scared - which is the right place to start. Then you can harness that fear and learn enough to be empowered to protect your code. If you're a manager, you need to give your employees time off so they'll go to this.

Then, you shold look for tools that can help your developers and QA folks in their work.

Vulnerability Assessments With Grendel Scan

Grendel Scan is a vulnerability assessment tool written by David Byrne and Eric Duprey, employees of TrustWave and Echostar respectively. It is a surprisingly powerful tool given that they've only been working on it for about a year. The 1.0 version will be released at the upcoming DefCon and I think it will instantly become pretty popular. In my initial testing it found weaknesses while providing relatively few false positives. Unfortunately, the version currently

But, as the authors of Grendel stressed several times, scanning tools are just a start. What you really need is a complete end-to-end consciousness of security issues.

HP / SpiDynamics - Live Hacking Workshop

Check the presentation formatted version of this page.

Greg Knaddison

Growing Venture Solutions

2008/07/27 14:00

DrupalCamp Colorado