My Experience at Drupalcon Euro!
Earlier this month I had an amazing experience attending Drupalcon Europe.
It was great interacting with the community and I got the opportunity to talk about securing web applications.
We discussed making secure infrastructures, some do’s, don’ts and basic to do’s to ensure building secure Drupal-based websites.
Let’s walk through some quick points that we covered during the Drupalcon
Let’s start with a basic question. How do websites get hacked?
While building an application most of the time techies focus on securing the sites using the latest tools and technologies. But it’s not just the technology, websites get hacked because of people, processes and technology which are the main pillars of building information security, weakness in any one of them leads to a successful attack.
So how do we secure our infrastructure?
- For infrastructure implementing a tiered architecture with the web application hosted in a DMZ and database and the business logic behind a firewall can be helpful
- Also one should implement an IDS/IPS which not only detects known intrusions but prevents them.
- Additionally, undertake periodic VAPT to ensure known vulnerabilities are identified and fixed.
- Based on the criticality of the application, adopt measures to ensure business continuity
For relatively smaller businesses we can use prebuilt images or opt for Paas which reduces the overheads of hosting the infrastructure in-house and they can focus on the application and its security.
Other strategies might include:
- Implementing WAF, DDoS protection,
- Zero-day protection
- Load balancers for optimal traffic handling and equal distribution.
- Implement SIEM for proactive monitoring and alerting.
- They should also conduct regular audits, checks and conduct frequent application and infrastructure security tests, carry out regular risk assessments and if possible adopt known security standards/frameworks like ISO27001, SOC 2 etc.
Well, these were some of the technical controls. Now let’s take a look at the people and process.
The “people” refers to the human resources available at the firm’s disposal. People are the most important pillar of your cybersecurity strategy. They are the ones who do the tasks described in the process, sometimes by leveraging the technology. Failure to follow a process leads to a breach eg: not applying patches on time leads to the system being vulnerable.
Training people on the established policies and processes, following established policies and processes and regular information security awareness training sessions, are key in mitigating the risk.
Processes are administrative controls mainly involving manual efforts to ensure data security.
These include enforcing policies, standards, guidelines and following procedures to ensure business continuity and data protection. Processes are key to the implementation of an effective security strategy. These should be defined, repeatable, and improvable steps you document and train on to perform a function.
This pillar of security ensures that their security has strategies in place to proactively prevent and respond quickly and effectively in the event of a security incident. Some of the examples of administrative controls include disaster recovery plans, internet usage policies and termination procedures etc. Processes are nothing if people don’t follow them correctly.
After protecting the infra, what are the things to do at the application level for security?
- For security at the application level following OWASP top 10 for web application hardening.
- Implement encryption at various levels, also enabling strict transport security to accept only secure connections.
- Implement key rotation instead of using static keys, avoid incorporating authentication tokens in URLs to prevent session hijacks, keep a low token lifetime to ensure an always authenticated session.
- Enable appropriate audit logging at various stages which help track activities, troubleshooting and incident investigation.
- Use trusted third-party certificates instead of free certificates.
We should adopt a security by design approach at the time of development, so the number of vulnerabilities identified before going live is less, before going live they have security checks, reviews in place, and follow a process of carrying out application security tests before each release.
Security by design principle is to be ensured:
- Before writing a single line of code
- While writing code
- While moving code to production
- After moving code to production
If the site hosted is a corporate marketing site then Owasp top 10 is enough, but depending on the use case companies should include threat modelling as a part of their development process to identify the risks and mitigate them on time, implement code review techniques etc.
- Threat modelling
- Risk assessment and mitigation
- Code review and deployment security
What are the steps for hardening a drupal based site?
Some of the tips that we should follow at the time of implementing Drupal are
- Disabling the default logins and changing default passwords.
- Implement access control, implement content access permissions etc.
- Keep reasonable session timeouts, limit per-user sessions.
- For admins, MFA must be enforced.
- Check file permissions, block access to important files like authorize.php, cron.php file etc,
- Avoid using default database tables or rename the default tables,
- Disable the anonymous user role if it is not required.
- Enable security review module which carries out automated tests for many of the easy-to-make mistakes that render your site insecure eg: safe extension file upload.
- Enable Login Security module which improves the security options in the login operation of a Drupal site where a site administrator may protect and restrict access by adding access control features to the login forms eg: limit the number of invalid login attempts before blocking accounts.
But hardening is not enough we also need to carry out regular maintenance like:
- Always keep the core updated,
- Use the latest version of the themes and plugins,
- Keep the modules updated,
- Review access permissions and
- Carry out security tests at regular intervals.
With the support of Drupal experts at Srijan, the Infosec team has created a Drupal Security Checklist that our projects should use as a mandatory checklist while implementing a Drupal-based site.
The top 3 key takeaways on securing a web-based application are to follow
- Security by Design — Introduce Security at the time of Designs. Follow Threat Modelling.
- Maintaining a hardening checklist and following during release
- Proactive monitoring — configure the right alerts and take action proactively
Pankit Gautam Genge
Chief Information Security Officer