 a land-based artificial model and an aqueous certified site server. Tonight he's going to be talking about the Lando Local Development Lando Local Development Development Lando and showing us how it can easily be used to spend a local development development for more projects. Thank you. Recording? Yeah so hold on. Hi, I'm Green. I might have already introduced you. Most people here would know me because I hang around a bit. A bit of a droolful person but I mostly like weird stuff like CSS. Not really programming language but I'll challenge you on that one. So today I am going to talk about Lando. It is a local development tool to build around Docker to help you not make mistakes and save time. So has your local environment set up ever had you like this? Or like this? Or like this? Then you'll be amongst probably 98% of people that don't have a gigabrain. I'm a front-end dev and I hate things that are complicated and I hate documentation. So it's really good for me when things just work on I just thought things that it said and it works. So that will also leave me into saying I'm not an expert at this but I've used it a lot and I can probably answer most of your questions and if I can't I can probably direct me into the right spot. There's a Lando channel in the Drupal site. It's really good. There's ways more people than there are women. So anyone that likes Star Wars will know Lando is a person but not in this case. So don't try jibbling it. Let me tell you you'll never find the thing you're looking for. So what is Lando? Essentially it's just like a wrapper around Docker. It makes it really easy to like spin up containers and different services. And I guess the best thing about it is like they kind of just like seamlessly work together and all you need is like a YAML file. So you get your Lando YAML file and that's like my Lando site and it just works. So as the person who creates documentation it's real good because someone smarter than me can write Lando file which has actually ended up being me. So that can be a bit bad. But yeah, it's kind of good. So now you have like all this unlimited power. You sort of have this one file that controls all the services that you need. But that kind of just sounds like Docker composed. And do I say it's not? Docker composed is real good at managing Docker. I mean, they both do the same thing. You can have a Docker file inside your Lando instance and use that Docker file if you want. I think you're wild if you do so. But in some cases it's really helpful. So everyone that uses Lagoon will know if they have like a Lando setup that also has a Docker compose file in it. So they do work together. But I'm going to say 99% of the time just have your Lando file and you're good to go. But they're basically similar but not the same in the fact that Lando sort of wants to focus on having lots of different services where you want to have different lots of containers with Docker compose. So Lando comes with this really nice thing called recipes. And I guess they make it really easy for devs to just get started. So we don't really need to know how it works on the hook. All you need to know is that there's a file in Lando somewhere that says that this exists and these are the containers you need. So you have just like a food one but Docker is basically like a recipe. It's telling like Docker what containers you need and what services you want. And I'll pull up a Lando file soon and we'll just dissect it. I might answer some questions that Mike said that people might have about performance. Is it kind of cooks a machine? That's always fun. I don't think I've ever started, restarted Docker so many times. If I can figure it out, you can exclude directories. My God, that was a day. So you can run these recipes for lots of different things. So I guess most of you are interested in Drupal. But you can run Larravel. It's really good with WordPress currently. I've never used it but you probably like it. So Larravel, Drupal, pretty much anything that you actually haven't seen at .NET or a .NET. But I would argue that it's probably reason for it. Please refer to the documentation. Here is a very good screenshot of a Lando file. This is the config you need. Literally running Lando start will give you a Drupal 9 site. You will still need to compile the file of course. You can run Lando start. It will give you a PHP version 8.1. As long as your files are in the web root, Drupal will spin up and run. It will do all the aliasing and everything like that. You can access all your containers. Lando has a bunch of command lines actually. So you can come out of the box, support struct and everything like that straight out of the box. You can write custom ones for any other weird thing to use to support Drupal console. I'm not out of the box. I mean there are third party people that still use it. I don't know why but I'm sure there's a reason. But yeah, you can see very little. Don't need to know much to know that this is just going to be nice and easy. When I first used it, I thought it was too good to be true if I wasn't. It actually worked the first time. And it feels good when it says boom, shuffle up a little. So it's like a true one and it's configurable. So all the recipes are configurable in Lando. We can tell it... I'll just give you another one because that's a good example. We can specify PHP versions. If my web root is weird, I can put it there and change it. You can change like A and X, A and... I don't know any other server type. It's that way and fine. There's a whole list of stuff you can configure on the recipe. Most of these things that are good are actually in the tooling of Drup. Because I imagine we don't want to remember aliens and all that kind of stuff. We can remember those things for you. But I guess the good thing is that you have this standard recipe and you can sort of configure that to your heart's content and it can just be used to replicate your production environment very, very closely. It's not recommended you use that in production, but I've seen someone do it in a spine. Use under advisement. I can't, I'm not going to say. No. It's fine until it's enough. No. It's not. We do use Lando to rung up CMS projects locally. Yeah, no comment. So basically this is the spiel from the Lando website. Everyone should just be able to run Git clone. So you commit the Lando file to your repo and just run Lando stuff. And that file should have everything you need for everyone to get started. So you can have elastic search already configured and everything like that. All the servers, now it holds really easy. There's lots of all those nice tabs that just come out of the box that are kind of annoying to use all the time. I can just, I'll show an example later. I'm not very good at talking about it, but if you ask me a question, I can probably answer it. Okay. That example of the Git clone and Lando start. Do you always shoot before you have something to do with it? Yes. You can set one up by doing Lando in it, and it has a wizard. So you can step through and it will give you. We'll do one. So if you just Lando start to get old anything. This is just filled with Star Wars GIFs. This is my favorite thing that Star Wars is going to get. And now we're ready to play. So it'll give you a bunch of URLs that you can access. And as long as everything is configured correctly, you'll be able to go along and use your Drupal site. And we'll give you the install thing if you haven't imported your database yet. But you can write tooling around that too. There's commands already out of the box. Yeah. So this is a short overview. If anyone has any questions while I pull up a file, I'll start in it. The performance is the question that people do ask. Mike did say someone might have some questions about that. Yeah. So we tried to run Lando with Doxymus. Not Doxymus or Lando, but Lando and Doxymus. Yes, I've got it. Yeah, I think you can run alongside it. It is possible. Yeah. I was going to say that I've got, you know, it's got URLs. Yeah, so I'll use a different URL. So we might have one that's whatever site.Lando or whatever. Yeah. I have localhost.something.the import number. Oh, money. For me, I'm going to show you a little bit. Yeah, so it was at the start when I first started, when I started working with Brin ages ago. It was like, we're using this thing. I'm like, cool. But I'm used to using it this way. And to work together like, eh. So I worked that bit out. And yeah, it's not hard. It's just, once you've worked out, well, yeah, it's cool. But perhaps if you're trying to follow some documentation, it might not, like the URL is never going to be the same. So each time you either start different sites up at all. Zero. Yeah. Actually. Yeah. Look, I've got a couple of, I don't know what you're doing because I've not been sort of getting there. And I know it's kind of, apparently, there's something else. It's, you know, people are interested in this. I'm, you know, can you hear my computer from there? Some fire. Yeah. Let me tell you much. My computer, I can run three, four. I've, at once, even had five landed sites running. I don't know about that anymore. But I have to have one. Yeah. So this is for me, sort of, a really light version. Well, before this is the light version, everything from there up is like, I mean, you don't even need, you don't even need this PHP version. Like if people recommend the PHP version, it will fetch that one. I mean, technically, if you don't even have, if your web roots is the root of your project where the YAML file is, you don't even need that. You can just do a name and a recipe and it will be fine. These other things under here are, so we can define services here. This is where we might define Elasticsearch or some other service that you have. But here I'm just saying, when the app server is built, just run composer install. So I can just use my desktop and do everything in terms of where I can run a bunch of commands on Lazy. And in here. Lazy. Yes. You're the most efficient person I know. So another one that actually, first question, has anyone used Lazy before we should ask that start? Yeah. Yeah, cool. Someone might be used to seeing this brush and then it's a big, not a big long one, but a short one that just defines the URL. So like when you do brush things, this is the right URL. We have come across this long command. They'll always just be working no matter what project you put it in. So this one will automatically alias the URL that Lando provides to... Hold on. I'll zoom out a bit so you can see. Just so that you don't have to come in and edit this one every time. So I can just reuse this no matter where I go. As long as I change this name up here, I'll get different URLs, and this will just work. And we also have this excludes... I don't know what you call this in here, object, thing, something, where you can define roots that you want Lando to exclude because Docker is a whole. This is really good for vendor folders and stuff. Once you've already defined your modules or things like that, this is good for static files if they ever really change up and things like that. We'll fast and increase your performance. Is that because Lando is creating a copy? Rather than a copy, we don't want to put one in the back. It's called a copy file where you've got your repo inside of it. Yeah, basically inside. Do you ever run into a problem where you're upwards and you're going to run to a point and you're going to run down? Pretty subtle. Is the answer to that one? How often does that happen? Rarely. The main, at least. I don't think it happens that often. If I ever run into issues, it's a mostly restart Docker thing, and if that doesn't fix it, then it's an object Google. But if everything's working normally, we have to notice that. Nah, I don't notice any bugs. When containers first boot up, there's a bit of, obviously it's going to take a bit of time, but it's usually pretty good. Okay. Just, this is not for people with harm equation. Okay, that's great. I'm just going to do, let me start. I don't think I've got the container running on machine yet, so we'll see. Love coding everybody. Very cool. It is booting things. Globalize everything. I'll narrate this. Yep, booting things. Booting containers. Wait, waiting. Waiting. You'll get used to this waiting one. When you first boot up the old containers. But, I promise for a little bit. Any questions while we wait? Oh, there we go. See, here's the ball of chakalaka. Very cool. And when you do Lando destroy, you'll be able to pay behind price. Pretty good. Yeah, it's almost been a lot of findings a man might have himself. So you can see, I have these ups of URLs. Yeah, actually, I've a computer problem in there now. They apparently, let's see, did bring it right. Yeah. In my opinion. And there's our Lando slide. In a matter of minutes, obviously, I have things installed already, but, yeah, so it is good to that. That age, I mean, I'm not a very brilliant person, but I can do it. I promise that you can. And the timing of docs and the slackers is helpful as well. Um, but yeah, I can use brush now. I think that's helpful. I would check my computer for this. Oh, yeah, it's good enough to do. I can like run Lando. Let's get some pretty cool things. Hey, what do we want to do about this site? Go for it. Hey, um, that really long, complicated line before that looks like this and I don't know if it does. So just give you the right URL instead of people, which has happened all the time. It was really annoying when I did that. Um, so if I was to change my project name, thank you. Yeah, yeah, like this. Oh, really hard. My mouth is just a URL. Nothing fancy. How's that? Okay, cool. So if I was to go back to tell me if I'm going on on and on and on. Um, Lando projects. For one. Well, not for typing. Um, and I do Lando rebuild on this. This picture. But this will rebuild on my containers. Um, yes. Um, this will rebuild my containers. With all of the, if I was to update more stuff in there, add a new service or whatever. Do that. Um, or we're in turbo mode, baby. Oh, yeah. That's what happens when you split directories. Big more. Very cool. Um, this would have been better if I excluded more directories, and it would have been quicker than the problem. Maybe. Um, so basically you'll see now it'll do a full composer install. Well, it was fine. Um, yeah, I think I'm sort of at the limit of sort of going on and on now. So, Oh, it's a version four. Yeah. Who's, so, so now you can see my URLs and stuff of all updated. I get some cool aliasing. So I don't have to use localhost anymore because I'm cool like that. Um, Lando will tell you these services don't, they're not probably, I rarely run into that, but they'll be red. They will sometimes still work when they are red. Yes. Do you guys see the log? The like server side log? Like server side log. Oh, yeah. Yes. Well, I could do like what else? Yes. I spend a lot of time in Lando logs when I'm building things that crashes. And I don't get errors and it just gives me the white page of death saying contact the side admin. Don't know how to contact myself. Yeah. Yeah. Right at the bottom. Very cool time stamps. Cool. Yeah. Lando fours coming out. Everyone should be very excited about that. They're moving to like a modular system. So it'll be very easy for people to contribute now. This was originally a project tandem in this company that does this. Yeah. Um, during COVID they probably are 2020 maybe a bit earlier. They came out with Lando was just because of cities and double compose really don't think they really wanted it to take off as much as it did, but it kind of did. Well, it's just really easy to use. But they have now like taken up stop again and sort of had a giant meeting and decided what do we want from this thing and main thing was they want people to be able to contribute to it is open source. But right now it's kind of difficult. Um, so with the new modular system hopefully we'll be able to run my global commands. So things that are not installed inside the containers. Um, it will be very helpful. And then I can do away with things like a blade. We're going to be nice people. I can just have all the tooling in my Lando file. So let's go to Yes, Brett. So I'd love I'm going to read it. Whoops. I would love to have a way to automatically adding our usual conflict to go. CMSS site. It's a learning curve. It can take some time. Get used to set up in documents to share with the team. Oh, further up the chart. Okay. I didn't see it. Is the top one. You've got reverse scroll. That's wild. It's a wild march. A wild person. Where is it? Down. Yeah. It's a maze budget month for people and for government. People are not so good for it. Could you use it to configure GovCMSS site with your usual conflict options? Yeah, we use it. So anyone that doesn't know I used to work in a place called annex with March. Um, and we basically forwarded every project we used to use Lendo including GovCMS projects. We did have a script for a while. Both Nigel and I to spin up all the config that was required for GovCMS that would just pull the GovCMS repo and do all the things. And then, yeah, just go to your life kind of thing. Um, we did plan on making that open source, but Nigel kind of left. And then I kind of left. And now I don't have access to it. But, I mean, if there was a lot of time, I'd be happy to pull up what I can and that kind of thing and provide that to people if they want. They can do it. Mm-hmm. Absolutely. Another great thing, right? Kind of. There's a bit of fiddly around, but setting up like Lendo is good at handling the container side. All the other stuff is kind of just a little bit of a problem. Because all the things might have been used already in the repo that are needed. Of course, you need a bit of common sense. Like, don't add modules. We'll still do that. But, I mean, these guys will shut you down on the other end anyway. So, that's a problem anyway. Yeah, that's what I mean. So, yeah. We use it. I'm planning if I've seen those sites. I think they've just announced it. It's still Lando 3. And I think maybe for two or three more releases, it will still be Lando 3. But I think halfway through the year, they're planning on releasing Lando 4. I think there is a beta version out there. I haven't looked at it yet, but I'm looking forward to, you know, writing my own things. So, yeah. So, yeah. So, yeah. Yeah, writing my own things. Currently, we can write our own recipes and stuff like that. They're really handy. Our iPhone, we've talked about maybe writing our own recipes. So, we don't have to have a giant file like that. Just like a one file thing that just says recipe. iPhone, Drip and Line, or whatever. But, it's kind of a nice that I haven't done anything that has to do with Lando 4 from one project to another, which just changed the name. But, yeah. I think it will open the gateway for all of the people that are... There are some frustrating parts for Lando. I don't think one of the chances kind of sucks to be tied to Docker as well, considering Docker's kind may be indicated that they may go to a model. So, people are a bit scared about that. So, Lando 4 opened the way to not be tied to Docker. Tied to some other generalization, if you will. But, yeah. I think Lando is a great product. It's open source. So, people, we love it. We love open sourcing. We know. Yeah. It's really easy to get started and I think everyone should use it. But, I don't know. I don't really like it. But, it's... Sounds fine. When do you open the public and the private? How do you do that? How do you do this? I've set up my certificate before and it provisioned the certificate. You can just provide that to Chrome or Firefox. I'm sure if I open it to Fire right now I'll get it. Probably. Yeah. There's a folder inside the Lando directory and it has all the certificates. There's documentation around how to add those. Yeah. Firefox is the one that is the most famous. Because you actually have to, like, look at it. I need issues with, like, enterprise and stuff. I need to install it. No. That'll rain to anything. We have some do-bronson on Windows, Xanax, Dandos. Windows. But, I mean, it works. So, that's fine. Good. So, you can have people on different machines. You can have versions of machines. You can see my Intel machine. I've got an M1. Obviously, it's going to run better on the M1 than the Intel machine, but it doesn't run. So, everyone tells me. You like spacecraft? Very good. And a heater. And a heater. But, yeah. Zero years. And I started to make the wraps on the Star Wars. I was interested in your best moment in Star Wars for a certain moment. I'll throw up with 10 minutes. Hey, man. Crinkles. Crinkles are great, man. They're great. But I love all Star Wars. I just have the vivid memory of my like, whenever I think of Star Wars, man, that's what I think of. And you especially like what you saw before? I like taxes and shit. That's all right. Maybe I'll save one's all right. That's my favorite Jedi in it. I mean, I don't want to make this political. That's my favorite Jedi in it, man. And that's it. Who's your favorite Jedi? Wagon. Britt. Britt. Do you have any more questions? I'll unplug on the chain and bring them back up. Thank you very much. Louise, look how zoomed in I am. Oh, wow. You can read it from over there. Thank you very much. All right. Thank you, Britt. Thank you very much for putting that up. Anyone has any more questions? I can just message me on Slack or like this. Should we do like a five minute comfort break, or is everyone going to just get rolled in with it? No. Okay. Our next speaker for tonight who I imagine some of you have been with is Danis Alden. He's the technical practice lead at Hyden Sea and his work specializes in cloud and cyber security architecture for enterprise programs. He's been working with Triple 4 over 12 years now. We'll be talking about security scanning tools for the essential page from Brooklyn. Is that cool? I'm in the Meebs so I can share my screen. Yes, that would be great. What a great idea. You're looking at me. I didn't even want to stand up. So then Dan does have his own reverse proxy. Yeah, that's right. It's supposed to be. I know lots of others don't know. Yeah. So sometimes in my experience sometimes it doesn't work and I just do things every day. Yeah. You can define the port and you can set a certain environment variable to make it work. Yeah. Okay. So we're just going straight into this, right? Yes. All right. Fancy presentation by H&S. And thank you very much to Bri and Dan for organizing these. They actually flew me into from Melbourne to do this presentation. So that's pretty big commitment. I think that's an extra step for an open source community. I think it's really cool. So just a bit of info about me. My current title in the project is Enterprise Architect. I've got 14 years of experience working across the LAMP stack WordPress, Joomla, mobile, Drupal, everything currently technically at hide-and-seek and going to be talking about cybersecurity in Drupal. And a lot of interesting things that I found along my journey as I was hacked multiple times I spent countless nights debugging and cleaning up websites with that architecture. There's some prizes, some small prizes and some quizzes too up in the presentation today. So Bri over there will give a super special prize. If whoever works out the secret gets special prize. Yeah. All right. So just super brief. I'm going to talk about essential aid which is I'll talk about it in a second. We'll talk about scanning, reporting, updating, firewalls basically all the different things that you need to do in order to not get hacked we'll talk about self-posting Drupal. Sometimes you need to do that especially in a government requirements where you need to you know, when you are working in a high security workloads you have your workloads running in Asia they don't want to share your data anywhere else for example, Acrea backs it up for Tokyo region, right? And some government would say, hey, I don't want it. I don't want Tokyo is too sensitive. I want the data to be in Melbourne, Sydney and then they self-post it and then they get into trouble. So we'll walk through that and we'll walk through the different enterprise posting platforms, right? Acrea platform stage, Einstein versus self-posting it what are the implications what are the issues there is a questionable ethical demo of hacking live site on the on the call which I did that as well I don't want one no, no, I had to do it myself and just the questions and some so starting with a story about Logcoge everyone is smiling so yeah like anyone had one of those on site ever huh wow so what happens when you get one of those it means too late. Your site has been injected they've changed the payload, it's loading some JavaScript, it's loading whatever it's doing, Google Chrome picked it up and it's telling everyone that it's bad. Your site disappears so Google it's still listed all that SEO I've already put in so multiple clients before thousands and thousands of dollars in SEO to try to get in page Google one for example, yeah one company used to work before, like $15,000 on articles, blogs, every month for five years one of those, they've gone up Google for three months they reappeared on page 16 two years to climb back up so it essentially destroys your site reputation so back to Logcoge it's very interesting because government really didn't mind that much what you're running what kind of tools you can scan the websites up, that's one of the things and then kind of privately I found out because working for some federal government clients that about 80% of infrastructure was affected by Logcoge vulnerability data was stolen so that was deleted, removed, destroyed and we're talking like big things, big blocks of government operation ports things like that, right a lot of sensitive information leaked and the government started to go ooh, maybe we should have a look at everything that hasn't been hacked yet and see what are we doing about it and then I got a call from a client and they went can you please tell us how you comply with schedule 8, it's been there for a very long time, no one knows what it is but we actually have to make sure that it's done can you please have a look at where we're at and can you please tell us tell us whether we're compliant or not and what we can do anyone can work out something not right with this PHP file everything looks a little bit out of place so that's how this thing happens so this is the end result but your site gets injected I'll talk through different methods how it happens and then your PHP file gets a nice present a nice extra a little bit of line of code this is called a heuristic logic injection where the virus is everywhere it's actually encoding itself so if you try to match the pattern it will not be the same, it will always be different because it's using some random string it's passing around the string through base 64 it's encoding it and you don't actually know what it is it's probably at least trying to you know do one of the bad things that it does so going back to essential 8 the government brought to my attention that there's something called essential 8 which is a cybersecurity maturity model that requires us to do a lot of things the definition is yes so it's a framework for organizations specifically the government because it's developed by a certain government to improve cybersecurity for share reducers of successful cyber attack and it's a set of strategies both for mitigation and remediation when I talked about it with the developers we just write JavaScript we like React React is the best but then some of the stuff specific for Drupal would be you know a patching scanning, multi-factor, backups network segmentation and many more other things but it's actually Drupal is really not there because for example when they told me do you scan twice a day your dependencies in Drupal we weren't even thinking like is there a tool that does that because if you're using Composer you have a dependency of the dependency of the dependency that is using a dependency that hasn't been updated for five years and then if that dependency is vulnerable you get the red screen it's good on Acquia and platform usage with a blocked file system so even you get injected they can't write but I'll talk later about the self-hosted systems that's where they can write to the file system very easily like you know we took a blue post they explore the net registry all those share hosting platforms that are cheap and a lot of the governments still use that and it's very unfortunate because there's no tools in place to mitigate that so when it happens too late Drupal can be exploited specifically most common one 99% of SQL injection but there's also denial of service distributed denial of service, file inclusion cross-out scripting SQL injection is a really interesting one we'll talk about that we'll show some slides and I'll talk about the denial of service because that's my favorite one it's quite funny so a company that's selling you know you buy you put money in their account and you bet on the forces they make 90% of their money during their races in Melbourne and they get a phone call about five days before the races and the hacker says we're gonna bring your site down for one hour watch then the site goes down for one hour then it comes back up then they say okay we just want 15 whatever 150,000 150,000 dollars otherwise during the races your site goes down forever you're not making any and that's done using distributed denial of service attack so this vulnerable code that you saw might infect your computer to become part of the botnet which will then form one of those attacks become a participant of one of those mass attacks that will deny service to get to and protecting can be done patching obviously restricting privileges multi-factor backup network segmentation a lot of other things which I'll talk about in a moment but it will not help if you have really bad architecture in the begin so there's the little quiz that I put on together today so when this is actually a real situation from my previous workplace there was an architect who said you're just a dev and he said this is how all of our sites are handled and I went hmm hmm are you sure so who wants to give a crack at well it's not that difficult but who wants to try to see what potentially might be wrong with this for security performance access that's how the DNS is handled for three sites that's the dedicated server with three directories in it here anything else yeah lose one, lose them all is probably there I think we deserve a gift aha genius that's right so anyone else wants to pick up a couple of scenarios where this could go horribly wrong if this is not fashion production they ran like that for two years yeah yeah yeah yeah the Drupal get it was when I was employed there so that's a horror story right so let's see anyone else wants to try, no it's it okay I'll try to summarize IP address is only one IP it's not mask but it's not proxy 20 CDN if you do it and look up you see the IP you can hit the IP all of the sites are on the same server in a web root directory in public html directory so when we had so that was production and end stage and that's how they had htaccess Apache was routing traffic to the three different applications and as a result when the Drupal get it happened and we got exploded in production every single PHP file got it basically written you got that base 64 problem in there it went all over the place it then has infected all the backups because all the backups were in the same directory too and it corrupted all the backups and remained all the files and then it also screwed up the depth and the stage was forever the backups were on the same server with production and end stage and it was a self-posted server because so if you try to do any antivirus on this you already lost your game and because you're just asking for it here right so with this system I remember Drupal getting happened everything got destroyed I had to manually clean up 700 files because we didn't have a backup because every backup was destroyed then I went to the database and manually cleaned up the database and then it was done at 4am so 9am to 4am and I got a hundred dollar gift card oh that's pretty good the US the US also had the same site but someone else was managing the US site and they couldn't have cleaned it up so they hired a cyber security agency to do it and they got a bill of US$80,000 for emergency remediation from a consulting company and they paid that bill I'll find out later for one of the reasons so that's when we talked about architecture infrastructure blah blah blah so obviously if you're using a proper hosting solution and not hosting it yourself or not trying to save money using something big you're not going to have that problem you're going to have stage, prod, everything pipeline, CIC details, backup restores all that stuff and then of course you have the code problems too if anyone wants to give it a see if there's a potential maybe something not right here that's right you just get the input from the post right that's it bad bad bad and so seeing a lot of that too so the same is not prepared we're not taking advantage of the awesome APIs that we have in Drupal Drupal API blah blah blah we are sort of here as an example of where we are passing it through for an parameter right so rather than just writing the whole SQL thing this will make it much harder for it to do but a very easy mistake like three lines of code the red screen of death if you're a government you're screwed if you are using this by SEO you build up your reputation you drop, you go home yeah Drupal get-in that's what has so Drupal get-in tried using a github but couldn't make it work we wrote in a bash to make it easy this is really interesting so the script is utilizes just the normal library 64 lines of code it because of lack of sanitization the Drupal 837 and down and Drupal 7 and 3.7 and down did not have the sufficient input validation in a 4 a tactic would inject the arbitrary code basically run anything that wants to get access to the server and just run to make a new file you could move the settings file where the database password is there and you could do a SQL dump and then download that dump straight from the public directory so easy if anyone wants I will put the link you can try it yourself I've set up a Drupal 8 site and all it takes this thing takes one parameter URL and then the second parameter any command you want to run in the as a shell so you can go touch index HTML in the main directory the whole thing is gone and you just get a blank page so that's easy so easy that's Drupal core right so what do we need to make sure that yeah that's the github repo if you're interested so obviously what the government wants to do is scan every day for dependencies for using heuristic logic so heuristic logic scanner is a specific tool that scans the files for anything that might be a virus but not sure so for example that basics before encoding is an injection but it's different on every side so you can't just do a comparison string to string you need to kind of go maybe that doesn't look right so heuristic logic scanning is a really important thing and if it picks up it's 95% chance there is a problem but most people haven't anyone heard about heuristic logic scanning daily and many people have know yeah and so when they told me okay Daniel so how do you make sure we scan every day I have to go well the tools are hard to find if you ask under root developers how do you do that they'll be like hmm well I know maybe what this is easy but Google like how do you scan for log4j which is a fourth level dependency in a composite file how do you know that that's on Google so here's a composite file for a client that we manage everything looks alright except the problem is with this not a sling module anyone has any idea why? perfect strict version we keep updating everything but the fastly module is going to be 3.4 and when in one year later when they hire someone else to manage it when the project is finished they got someone else to do it for you when that module becomes vulnerable who will tell them that this is the one that can bring a whole new system down you need to scan it for that and the scary one is that if the fastly module that's strict then we lock the 3.14 so see if it's like this that means that it's at least two but whatever the latest merchants went up there but that usually sticks at 3.14 all the time and that's a really big problem but a lot of people just ignore it but the fastly might be relying on a vulnerable component so that needs to also be checked and scanned and the government wants to do it daily and so we have to develop quite a lot of tools to do that side guarding is a really good tool that does any PHP but it's a paid thing but it's really cheap it's 10 euros a month per site Ukrainian company same as audit.io started by a friend also does the same thing firewall is really interesting there's two types the way I see it the one that works on instance and the one that works at CDN level CDN level is really clever this is a cloud player actually gives that to everyone there's also fastly and Akamai AWS and WIF and so many others but this is a really good one because it recognizes that it scans the deep packet signatures of the attacks for injection payload and then it's going to use AI to determine whether a request in real time might be a malicious request and it's going to destroy it without even touching your site and it's actually free you can proxy your site for that as a source to get them so it maintains a real time machine learning, the database and signature based heuristics so that's what we talked about the heuristic logic so there's a signature of how something gets exploited, what kind of payload is being sent and that's how it will block it even before it hits your site so if you're proxying your DNS if you have a lot of hydro IP if you then do an HTTP malformed HTTP request or injection signature that matches the logic that they know it's going to destroy it before when it hits your site it's really vulnerable and you're not going to get affected unless you're exposing your IP address then just hit the IP in as well Cloudflare, if anyone wants this is Cloudflare dashboard you can put it under attack mode Chantry Pt is using Cloudflare at the moment because too many people, too many bots are trying to scrape it so it's really good it's really free, it gives you lots of dashboards to understand where your attack is coming from also use this really effectively to block every country in Australia for the clients because they keep getting spam and it works effectively we'll see if I have time for a more core execution in a second, we've talked about heuristic logic scans we've talked about antivirus solutions antivirus solutions it's a little bit too late when you're trying to have an antivirus because it's already been injected, already been infected but yeah, there are solutions and for example so this kit has got to be really good it's a composite dependency security checker it can be run as part of the CACD and what it will do is every time you generate your composite log file it's going to scan it and tell you, hey, log page is there and it's not fetched and there's people that let you push the code something like that but that's a manual thing there's a lot of things that are out there so that's a great opportunity to enter the market at the moment because the government needs it however and no one's done it I've been trying to see if there's an all out-of-the-box solution that doesn't exist so we have to experiment, we have to do these things hosting is interesting, right? because Drupal's open source can be hosted everywhere platform such as Acreopantheon is essentially safe because they're doing your own scanning, patching and they're using CloudPlay fastly CDN kind of kind of like in Israel there's like this dome the dome, right? so the rocket is flying and the fence, yeah and it just explodes the missile before it hits the lamp but if you don't have the CDN, you're on your own you have to do that so hosting but because you have to do all this yourself and it will report Tenable, anyone had a Tenable before? it's really great Tenable that's the Tenable website the proprietary thing it allows an agent it can basically give you a Linux agent that you self-post on your VMs and it will report and do scanning but it will not send it online if you don't want it to be so that's compliant with a lot of the essential aid a lot of the antivirus solutions are out there because they are leveraging cloud scanning so you have to kind of send your vulnerabilities out in the middle of nowhere to be scanned and then get a report and that's next to a level of responsibility to governments that they don't like to take this Tenable provides your Linux Pistro, you run it on your post and then it's going to tell you everything that's wrong so this business here I don't know if anyone heard of it, really popular is actually just a piggybacking of Tenable agents that are sitting there and it's just using you know, APIing in and giving you vulnerability with this so that's so good Recap no one's seen the red screen of death before seriously yeah no one's saw it but I managed but I was saying it before I've been brought into this so closely so closely yeah yeah, gone gone yeah it's nice because I started I had my own business and I was doing small websites in Drupal, Joomla and I hosted them on shared hosts when I started I thought everything was going great I just started getting hacked really badly Drupal in itself is extremely secure and I normally work with the modules because it has a lot of issues alright, that's my presentation that's the way if you have any questions I'll try to answer as much as I can I have the wisdom in this one I have less of a question more just an experience that I'd like to share last year we did a processing of the way the antivirus provides for our customers from abroad on the one side can you mention that once you're familiar with antivirus I wanted to say that I think that's still really I wouldn't suggest that people walk away from it it's the antivirus it's something you are infected something's got inside and what we found was that you can't have a strong antivirus we can do that every hour of the day but with CrowdStrike you can constantly scan it it's a surprise for us but the other thing if you watch what we could say there's somebody that's affected and who could wait on the work so if not just see the virus or if there's a user who's malicious or not trying to see what might be going on that can stop something from happening before everything's good that's right and it is a requirement the essential aid the government requires you to do antivirus and I guess like for me when I was a small business owner the thing was Google takes 3-4 days to pick it up antivirus takes 24 hours so it's better that I find it oh yeah yeah let's have a look he'll answer all the questions but I didn't see, I'm so sorry is there an argument for compile static hymns what sites one second compile static he wants to know is there an argument for using static site generators I think converting the group of sites to yeah that's great so Drupal is vulnerable because of the database nphp if it's static, you can't hack a jpeg image you can't hack a jpeg image on an s3 bucket well you can try but it will be impossible almost you can scrape your Drupal site this is actually a really good strategy scrape the site once it's done you don't have to make sure the contact form obviously won't be able to close to a php because it's scraped so it has to close to some api and as long as all you do is just do that then you can stick that into an s3 bucket add an s6 certificate to get secure, scalable you don't have to worry about hosting you only pay as much as you need because it's an s3 bucket and it's a static site so yeah absolutely the scary thing about scanning is because so it's like injection through the most likely like an api webform api, rest api or if there's a contact form on your site if they just put a single injection inside the contact form field they submit the form and it drops your database or dumps it up so if there's no database you can't really change you can't really edit a static site which is really good news so that's a great question and that's like an ultimate solution for security but static site that's what Brest just said if there's only no such thing as content updates well the question is still there are things you can do you can use like time model for instance like that's just a simple model but just static just makes a site static yeah if you don't have a contact form it's really good because anytime you make a content update you just set the time and you can file and you just make the disk directory your read directory yeah or you could RDP into a protected VM where Drupal lives do your content updates you have like RDP accounts for everyone who needs to do an update with SSO and then once you finish you see ICD pipeline will scrape it and just commit it as HTML static easy, no, super solution someone says that they had a static Drupal site but it's still got hacked via the Linux kernel oh well if the hacker really wants to get to his side what were you doing sorry sorry do you want to speak I'll try to my sound up do you want to speak I would like to say there was a static website on Drupal 6 I made but it was hacked because the hacker get paid very good so if the hacker get paid very well there is no solution if you're desperate and you offered a lot of money you'll find a way yeah I mean and then when I stream back it there's still the root credentials and I am credentials and native stli and people use install that in their terminal and then they you know don't touch the Mac and then boom someone microsoft support our team viewer logs in to help you out and then boom on your Mac and that's how Uber got hacked right yeah I am credentials yes sorry yeah so that's why I just have a question what are you saying there's a that's you know something yeah to reduce it to reduce it you can say like you can decouple the database but I guess the the logic behind the attack is like this here I have a php file right php file will load something from the database if php like see how that file is injected right in the very beginning just a minute so how did that happen doesn't matter if it's like a postgres or mysql or rds because they injected the database because some query here like that input right like what we talked about the code thing if it's not sanitized properly they will inject it so it doesn't matter what database you use the only way to stop hacking is to make it non non you make it sanitized and remove the database if there's a programming language behind the scenes that generates dynamic content you're gone unless you protect it but I think like you can stop php files being written using linux tools like what we talked about you commit to prod even if I try to even SSH to prod I can't edit the file using V or anything like that so read only but anything with the database is hackable but then imagine you just have an image you just have a photo on the link like you can't hack it so I know I know you can't but you know that's the purpose that's right there we go so many great read great it's just really complicated at once I'll make the birds Alex can't do it so what do you think that is difficult it will start to really require yeah yeah you have to read it it's too complicated when I got an email from the government it was like this make sure it's patched make sure it's scanned and we know when something goes wrong make sure it's up to date anything critical has to be up to date the same day everything non critical has to up to date within two weeks and then they wanted and so and then of course they wanted to have like logging system someone tries to guess the password three times from the same IP address it goes into the log and then that gets analyzed the way the way my understanding is this essential it works is you have multiple maturity models one, two, three, four, five, whatever and you need to get to at least maturity model one which is like the most at least to do something and then once you complete that you move to the next and next and next maturity model and it gets really I think that is your the slide you brought were sort of a complex and multifactorial that's probably the best you can do it's certainly the best you can do so we get probably enough questions and of course it helps me come to a number of tips on top of this if you're maintainable in your families so it's for them their problem but it's an actual workforce but these are the ones that we know are more consumable on our project we need to help with that we need to we need to talk about the other ones you know the real process is using the first time this is if you do that I think you would be level one and then the next maturity model you can stand up at the project but I would just emphasize even if you don't need to you've got a group aside help this don't go to the next class there's a lot going on so yeah I mean I've learned a lot about hacking through really hard you know because there were tens and tens of sites that were injected non-stop so enterprise it's much less likely to occur but if you work in small business and they don't really go for big platforms it's much harder so yeah I mean yeah in here okay regarding hack via JPEG Bexad says inject malicious code into the pixels of a photo is about hacking and transferring secret messages it's like yes voice thoughts yeah there's a lot of funny stories like I'd love to tell you all it's just I don't have enough time but so obviously there's something you can say more is there something in your room stands out that people are proud of you you want to yeah you're exactly right how many Drupal projects are you running who please lift your hand up if you are up to date today on all your modules all of them projects that I'm managing currently yes what are you on? what are you on? but we're talking about like tiny mce like this version all the non why? they're probably not but I suspect that's from yes yeah yeah yeah the miracle yeah I mean we still okay so one of the things with multi-factor as I see all the time the government has to go through a crazy process to give you some access they will that some access will stop working if you haven't logged in for the last three days or two days or one day and then they're like hey can you build a backdoor can you just build a query string and then if I pass an argument through a query string we just got to Drupal login instead of the SAML just to make it easier just while we're working on it so a little SAML kind of ease well yes because you are managing it using Azure V2C or Active Directory or LDAP right so you are you are offsetting the you're outsourcing the authentication to the managed provider so injection that this is just for access so if someone stole your password they can edit the article if it's injection it doesn't work they just if there's a contact form on your form they just inject it and see you later yeah all the BMS that I want to use before no I mean that's because I'm not a visitor like I'm from away with data I've worked with Drupal for people used to work with Drupal but the SSO or SAML modules in Moscow some of them aren't part of the protocol and if they're not part of the protocol it's beautiful so you can use those and you can you can do that you can get something and you can you can do that and it's beautiful and then with that beautiful Azure Faye Uber got hacked with that yeah because they just went the attacker stole the person's password through a link then he went authenticate authenticate authenticate authenticate authenticate authenticate the guy started getting multiple messages to authenticate the request you know authenticator then he just got an email from a support saying please can you approve it we're just testing it and he clicked it so that's it yeah yeah you know we would say I have to recommend the web and the project was not very good yeah you know what I mean use platform free you don't get the right for this one the one with the the right is still $20 right something like that come on 75 firm up for the main if you can afford that maybe AWS yeah yeah yeah yeah yeah yeah yeah yeah I think as you see it should be yeah no no you want to hear the yes this is on this will be on YouTube next week or two next week or two next week or two next week or two I know we haven't done any slide share of some YouTube they'll be visible they'll be visible depends if you want content some of the content to be there's nothing too scary in the code it's all on GitHub I often source the exploit if you use the right you're there in your server you just can't click to yeah you actually can run shell commands as root through Python by modifying HTTP requests I think that um yeah all right thank you so much all right it's okay it's okay all right thank you thank you again Dan and Brie I can say for composing I wanted to go through