The Open Web Applications Security Project (OWASP) developed the list of Top 10 Security Vulnerabilities. Tag1 developed training sessions based on this list to teach website administrators how to prevent falling prey to these vulnerabilities in the Drupal world. Tag1 has also included infrastructure and database information as part of these training sessions.

Tag1 Consulting’s experts can help you prevent and mitigate security problems on your website like the ones discussed here. We provide several services, including:

  • Consulting services: During planning and development, Tag1 helps you choose or write secure code and customized solutions.
  • Security audits: Before your website goes into production, Tag1 can perform a security audit to ensure that your website is as secure as possible.

The security training sessions:

These videos are discussions of the various security vulnerabilities identified by OWASP. Tag1 experts Fabian Franz, Vice President of Software Engineering; Moshe Weitzman, Senior Architect and Project Lead; Narayan Newton, CTO; and Michael Meyers, Managing Director, lead you through some common scenarios and how to avoid them.

Part 1 includes videos on OWASP Vulnerabilities 1 through 5. Watch for the next five videos, coming in Part 2 later this month.

Injection (#1)

Injection attacks are a wide group of attack vectors that attempt to force untrusted data into your website and database, leading to possible data loss, corruption, disclosure, and denial of access. In this talk, we discuss Drupalgeddon, what it did, and what caused it. We also cover some of the most obvious places injection attacks can happen. Watch the video.

Broken Authentication (#2)

Authentication - the process of proving who you are on a website - is crucial to your website security. When your authentication breaks, your users can’t access your website, or worse - attackers get your user information. Moshe and Fabian cover some ways you can prevent attackers from easily breaking your authentication, and how Drupal protects user data to make the attacker’s job harder. Watch the video.

Sensitive Data Exposure (#3)

Sensitive data exposure is about people stealing things that they wouldn't normally be able to get like API keys and passwords. This is about stealing authentication, rather than breaking it. This section of our talks discusses Drupal’s methods of protecting this data, such as hashed passwords, and using the .htaccess file to restrict access. Watch the video.

XML External Entities (XXE) (#4)

XML can be easy to use, but it’s not a highly secure technology. In this talk, Fabian and Moshe discuss how XML has been used in Drupal, and what better alternatives exist in Drupal now. They also cover some ways and reasons you’d use one technology over another. Watch the video.

Broken Access Control (#5)

Access controls determine what you, as a user, can access and what you cannot access. Authenticated users often have access to more than anonymous users. When you have authenticated users, you often have multiple levels of access. This talk discusses Drupal’s levels of access control, how it works, where you can troubleshoot it, and how you can make your access controls more secure. Watch the video.

Security Misconfiguration (#6)

Many other security vulnerabilities really fit under this category - failing to check your data, code, and so on ultimately is a misconfiguration. This vulnerability generally falls into two categories: accidental misconfiguration, where best practices are not followed, or inherited misconfiguration from a legacy system, configuration management module, or a package that is added to the system. These misconfigurations can be very difficult to find. Audits may have a difficult time finding vulnerabilities that come from third party configurations. Watch the video.

Cross-Site Scripting XSS (#7)

Cross-Site Scripting (XSS) or Cross-site request forgery (CSRF) is a type of injection attack where malicious scripts are injected into trusted websites. XSS attacks occur when an attacker embeds malicious code into a web application, usually in the form of a browser side script, and sends it to a different user. Phishing emails are a common vector for XSS attacks. Watch the video.

Insecure Deserialization (#8)

While this type of flaw is sometimes hard to create or detect, it poses a very real threat to your website. Insecurely deserialized data can lead to root exploits, such as Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003. These types of attacks tend to be fairly limited in scope, but have wide-ranging implications. Ensuring the integrity of if your data and data handling can be key in preventing these attacks. Watch the video.

Using Components with Known Vulnerabilities (#9)

Modern web applications have large numbers of dependencies, between Drupal modules, infrastructure, operating systems, and infrastructure, there are multiple attack vectors for known vulnerabilities, This talk discusses how to know if your Drupal installation is up to date, get notified about security updates, and how to check for known vulnerabilities. Watch the video.

Insufficient Logging & Monitoring and General Database & Infrastructure (#10)

Logging and monitoring are two critical methods of checking for anomalies on your website. Logging is always useful, to help you track changes and find mistakes, as well as spot unusual or unexpected activity. Central management of logs can be critical to ensuring enough data to correlate events. If you’re monitoring your website activity, and logging your data, you have a higher chance of catching a compromised server. This talk discusses ways that logging and monitoring can be used and compromised. Watch the video.

For more information on Drupal security and the OWASP top ten, see:

Drupal Security: https://www.drupal.org/security

OWASP Top Ten: https://owasp.org/www-project-top-ten/