Exigences de sécurité Drupal
Drupal security requirements

par Jonathan Marcil


présenté en
tweet-o-rama!
@jonathanmarcil

La sécurité aujourd'hui


You have been hacked!

Fix it.

La sécurité "gérée"


You have been pentested!

Please fix it.

Exigences de sécurité


Don't get hacked!

Here's how to fix it.

Exigences : définition

les exigences sont l'expression d'un besoin documenté sur ce qu'un produit ou un service particuliers devraient être ou faire
-- fr.Wikipedia
a requirement is a singular documented physical and functional need that a particular design, product or process must be able to perform
-- en.Wikipedia

Démarche 1/4

OWASP OpenSAMM : Software Assurance Maturity Model

Démarche 2/4

OWASP ASVS : Application Security Verification Standard

Une liste de points de vérifications pour tester les applications Web

Verify all password fields do not echo the user’s password when it is entered.
-- V2.2 OWASP ASVS 2.0

Démarche 3/4

Conversion d'ASVS en exigences

  • Session cookie must be securised
    • Not shared between sub-domains
    • Transmitted in HTTPS only
    • Not accessible by JavaScript (HTTP-Only)
  • Password information must be stored securely
    • Using strong one-way hash function
    • Using unique salt per user
  • Authentification must be required for administrative functions
    • Access controls with roles must be used using the least privilege principle
    • Brute force attempts must be mitigated
    • Security must be enforced server-side not client-side
    • Special attention should be given on rich text editors such as tinymce

Démarche 4/4

Ajout d'exigences particulières

  • Audit trail must be implemented
    • Trail of unauth attempts
    • Trail of login
    • Trail of modifications
  • A dashboard containing updates needed list must be implemented

Drupal sécurité de base

Drupal 7 possède déjà plusieurs mécanismes de sécurité qui remplissent certaines exigences.

Drupal sécurité de base

  • Authentification must be required for administrative functions
    • Access controls with roles must be used using the least privilege principle
    • Brute force attempts must be mitigated
    • Security must be enforced server-side not client-side
  • Session cookie must be securised
    • Not shared between sub-domains
    • Transmitted in HTTPS only
    • Not accessible by JavaScript (HTTP-Only)
  • Session ID must be protected
    • Never disclosed outside of cookie
    • Must change and be discarded at logout

Drupal sécurité de base

Exemple

  • Brute force attempts must be mitigated
function user_login_authenticate_validate($form, &$form_state) {
  $password = trim($form_state['values']['pass']);
  if (!empty($form_state['values']['name']) && !empty($password)) {
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {
      $form_state['flood_control_triggered'] = 'ip';
      return;
    }

Modules Drupal

Plusieurs modules disponibles remplissent des exigences.

Drupal.org: Enhancing security using contributed modules
This section provides information about the various contributed modules that enhance security.

Modules Drupal

Quelques exemples

Modules Drupal

À venir

Yog-Sothoth, Pierre Buyle

  • A dashboard containing updates needed list must be implemented
  • A user list must be generated
  • The list may be linkable with a global dashboard

Drupal CSP Support, Pierre Buyle?

Yog-Sothoth

Outils

phpcs-security-audit
Analyse de code statique

  • Code must consider security mitigation
    • against SQL injections
    • against XSS attacks
    • against exec or eval commands injection
    • against CSRF attacks
    • Development framework must be used and not bypassed

phpcs-security-audit

Régles spécifiques pour Drupal 7

  • XSS
    • Themes
    • Forms
  • SQLi
    • db_query
    • Dynamics queries
  • Spécifique à une exigence
    • TLS (SSL) must be used to any backend connections
    • Application updates must be planned for common security issues
  • PHP
    • Toutes les autres règles de bases

Documentation

drupal-security-docs
GitHub repo
Exigences et solutions

TODO: Liens entre les exigences et (Drupal core + modules)

Documentation

Drupal Security Guide
Whitepaper

Extensif sur la partie serveur
Vue d'ensemble pour un opérateur de site Drupal

Conclusion

Merci!

https://github.com/Pheromone/

Liens sur @jonathanmarcil

Self

  • OWASP OpenSAMM
  • OWASP ASVS