Website security is critical to everyone, from the single user running a blog, to the enterprise business with product and commerce data. A compromised website can mean the loss of personal effort, to the theft or destruction of user data. In a business scenario, this can be embarassing at best, and devastating at worst.
Tag1 Consulting’s experts can help you prevent and mitigate security problems on your website like the ones discussed here. We provide several services, including:
- Consulting services: During planning and development, Tag1 helps you choose or write secure code and customized solutions.
- Security audits: Before your website goes into production, Tag1 can perform a security audit to ensure that your website is as secure as possible.
Part 1 includes videos on OWASP Vulnerabilities 1 through 5. For the full list of training videos, see OWASP Top Ten Security Vulnerabilities: OWASP Drupal Security Training.
This section of our training covers the following attack vectors:
- Injection attack
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
Injection Attack (#1)
Injection attacks are a wide group of attack vectors that attempt to force untrusted data into your website and database, leading to possible data loss, corruption, disclosure, and denial of access. In this talk, we discuss Drupalgeddon, what it did, and what caused it. We also cover some of the most obvious places injection attacks can happen.
Related content:
- A1:2017-Injection | OWASP
- SA-CORE-2014-005 - Drupal core - SQL injection
- Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
Broken Authentication (#2)
Authentication - the process of proving who you are on a website - is crucial to your website security. When your authentication breaks, your users can’t access your website, or worse - attackers get your user information. Moshe and Fabian cover some ways you can prevent attackers from easily breaking your authentication, and how Drupal protects user data to make the attacker’s job harder.
Related content:
- A2:2017-Broken Authentication | OWASP
- Use a password manager: https://1password.com/
- Enforce restrictions on user passwords by defining password policies: Password Policy
- Two-factor Authentication (TFA)
Sensitive Data Exposure (#3)
Sensitive data exposure is about people stealing things that they wouldn't normally be able to get like API keys and passwords. This is about stealing authentication, rather than breaking it. This section of our talks discusses Drupal’s methods of protecting this data, such as hashed passwords, and using the .htaccess file to restrict access.
Related content:
- A3:2017-Sensitive Data Exposure | OWASP
- Portable PHP password hashing ("password encryption") framework
- Paranoia module
- Drupal Security Review page
- Key Module
XML External Entities (XXE) (#4)
XML can be easy to use, but it’s not a highly secure technology. In this talk, Fabian and Moshe discuss how XML has been used in Drupal, and what better alternatives exist in Drupal now. They also cover some ways and reasons you’d use one technology over another.
Related content:
Broken Access Control (#5)
Access controls determine what you, as a user, can access and what you cannot access. Authenticated users often have access to more than anonymous users. When you have authenticated users, you often have multiple levels of access. This talk discusses Drupal’s levels of access control, how it works, where you can troubleshoot it, and how you can make your access controls more secure.