The Open Web Applications Security Project (OWASP) is a non-profit organization that develops and maintains the OWASP Top Ten, a list of the most significant security vulnerabilities. The OWASP updates their vulnerabilities list based on their own research, and information from the community.
Tag1 Consulting developed training sessions for a Fortune 500 client, who allowed us to share them with the Drupal Community to help improve the security of the platform. Learn practical defense strategies with examples based on real-world vulnerabilities.
Tag1 Consulting’s experts can help you prevent and mitigate security problems on your website like the ones discussed here. We provide several services, including
- Consulting services: During planning and development, Tag1 helps you choose or write secure code and customized solutions.
- Security audits: Before your website goes into production, Tag1 can perform a security audit to ensure that your website is as secure as possible.
- Drupal Migrations & Upgrades: We specialize in guiding organizations through the complex process of upgrading and migrating their web systems.
Contact us to learn how we can help you.
The security training sessions:
These videos are discussions of the various security vulnerabilities identified by OWASP. Tag1 experts Fabian Franz, Vice President of Software Engineering; Janez Urevc, Senior Engineer, Strategic Growth & Innovation Manager; Greg Lund-Chaix, Senior Infrastructure Engineer; and Michael Meyers, Managing Director, lead you through some common scenarios and how to avoid them.
A01 - Broken Access Control
Trainer: Janez Urevc
This topic was previously #5 in the top ten. This jump indicates that Access Controls are the most significant threat to website security today.
Access controls determine what you, as a user, can access and what you cannot access. Authenticated users often have access to more than anonymous users. When you have authenticated users, you often have multiple levels of access. This talk discusses Drupal’s levels of access control, how it works, where you can troubleshoot it, and how you can make your access controls more secure.
A02 - Cryptographic failure
Trainer: Janez Urevc
This topic was previously #3, called Sensitive Data Exposure. The topic was renamed to indicate the root cause of data exposure and system compromise: failures related to system cryptography.
This revised category focuses more on the causes of data exposure, rather than the exposure itself. In this talk, Janez covers password security, hashing algorithms, http vs https, and other ways that you can ensure that your data is encrypted from beginning to end - ensuring your users have a harder time compromising your system, intentionally or not.
A03 - Injection + XSS
Trainer: Janez Urevc
Injection and Cross Site Scripting (XSS) previously were separate topics. Injection was the former top security issue, while XSS was #7. XSS has been incorporated into the Injection category as it is a type of injection attack.
Injection attacks are a wide group of attack vectors that attempt to force untrusted data into your website and database, leading to possible data loss, corruption, disclosure, and denial of access. Cross-Site Scripting (XSS) or Cross-site request forgery (CSRF) is a type of injection attack where malicious scripts are injected into trusted websites. XSS attacks occur when an attacker embeds malicious code into a web application, usually in the form of a browser side script, and sends it to a different user. Phishing emails are a common vector for XSS attacks.
We also cover some of the most obvious places injection attacks can happen, like user-supplied content.
A04 - Insecure design
Trainer: Janez Urevc, Fabian Franz
Insecure design is a new category for the 2021 OWASP list. This category focuses on design flaws and the risks that come with those flaws. OWASP hopes to press for more secure and consistent design principles, patterns, and reference architectures to further ensure the stability and security of website data. This category is aimed at finding and correcting flaws in design, rather than implementation - implementation often falls under one of the other security categories.
This category aims to cover security more holistically. Janez and Fabian talk about some of the ways that insecure designs can cause problems, even in a perfectly implemented system.
A05 - Security misconfiguration + XML entities
Trainer: Fabian Franz, Janez Urevc
The 2021 list combines vulnerabilities that were previously at positions #6 and #4.
Many other security vulnerabilities really fit under this category - failing to check your data, code, and so on ultimately is a misconfiguration. This vulnerability generally falls into two categories: accidental misconfiguration, where best practices are not followed, or inherited misconfiguration from a legacy system, configuration management module, or a package that is added to the system. These misconfigurations can be very difficult to find. Audits may have a difficult time finding vulnerabilities that come from third party configurations.
XML can be easy to use, but it’s not a highly secure technology, and can be misconfigured to serious detriment if the developer is not using extreme care. In this talk, Fabian discusses how XML can be used and misused. Janez will cover some ways that PHP can be misconfigured to enable system access, and how to exercise care in handling these vulnerabilities.
A06 - Vulnerable or outdated components
Trainer: Janez Urevc
Previously #9 on the Top 10 list, significant concern from the security community helped to drive this topic's position on the 2021 list.
Modern web applications have large numbers of dependencies. Between Drupal modules, infrastructure, operating systems, and infrastructure, there are multiple attack vectors for known vulnerabilities. This talk discusses how to know if your Drupal installation or other application code is up to date, and the kinds of components to look for when checking for vulnerable or outdated code.
A07 - Identification and authentication failures
Trainer: Janez Urevc
This vulnerability type has dropped significantly from 2017’s #2 position.
Authentication - the process of proving who you are on a website - is crucial to your website security. When your authentication breaks, your users can’t access your website, or worse - attackers get your user information. Janez covers some common ways to handle authentication, and how authentication can be broken.
A08 - Software and data integrity failures
Trainer: Janez Urevc
This is a new category for 2021, which includes the previous #8 category, Insecure Deserialization. This category covers assumptions made while updating software, data, or your CI/CD pipelines.
Software and data integrity covers a range of code and infrastructure issues which may not be properly hardened against integrity violations. This may include libraries or other code from untrusted sources, a compromised CI/CD pipeline, or auto-updating software that does not go through sufficient review before deployment. Serializing and deserializing functions also fall into this category.
A09 - Logging and monitoring failures
Trainer: Greg Lund-Chaix
This vulnerability was previously in the #10 spot, and has a high priority in OWASP’s industry survey. This category has expanded from its 2017 definition, including additional logging attack vectors and omission of Security-relevant information.
Logging and monitoring are two critical methods of checking for anomalies on your website. Logging is always useful, to help you track changes and find mistakes, as well as spot unusual or unexpected activity. Central management of logs can be critical to ensuring enough data to correlate events and to prevent attackers from covering their tracks. If you’re monitoring your website activity, and logging your data at the server and application level, you have a higher chance of catching a compromised server. This talk discusses ways that logging and monitoring can be used and compromised.
A10 - Server side request forgery
Trainer: Fabian Franz
This is a new topic, requested by the community through the OWASP Top 10 community survey. While this type of attack does not seem to be a common threat according to OWASP’s data, community members find it an area of concern.
Server side request forgery (SSRF) vulnerabilities may exist when an application fetches a remote resource and fails to validate the URL from the user. Websites providing access to remote resources is becoming a more common use case, and these types of attacks are likely to increase in the future.
Previous years
Tag1 has given talks on these topics in previous years. In 2021, we gave a training based on the previous OWASP Top Ten list from 2017. To view previous sessions, see: