 All right, we're gonna go ahead and get started so Hopefully we can leave some time for some good questions because I'm sure after recent events there might be a few So first off My name is Chris Taitzel. I'm the CEO of Locker and I'm Luke Prabasco I work the Drupal side of business over Townsend security and I'm David Strauss I'm a CTO and co-founder at Pantheon and So we're just gonna jump right in here and talk about common security myths and Surprise there's a not just five That is the first myth you know other other myths so you can read them up there, but You know, we always like to say there really is no silver bullet to security and we'll talk about that a little bit more In the next slide, but one of the things that I like to also talk about is that You know, we often hear that like a website hosting platform handles all the security for you Which they do a really good job at handling the security for like the infrastructure But what you do and what you build that's still sort of up to you And another myth that we often hear too is like all the security that I need to be concerned about is taking care of in Drupal core. I actually heard that at this conference. So I thought it was like wow, this is pretty important There's still some misinformation about that Um Another one though that we hear is that oh, I'm just too small. I maybe just have a bro brochure site, which You'd be surprised at what kind of information may be collected for by marketers in a small brochure site and actually smaller Sites are actually a bigger target because hackers know that smaller sites maybe not might not have the strong security measures in place and actually recently Symantec Did a study that three out of five cyber attacks target small and mid-sized companies and further small sites can be especially Vulnerable to automated attacks and you know, they think that maybe they smaller sites Don't think they have anything to offer a hacker, which really isn't true You have a computer and power and visitors And that is a value to hackers and a place where people can publish phishing pages a place where people can send out spam Just a coin mining JavaScript all sorts of good stuff. Oh, yeah So when we look at security we need to look at it in layers All the way from the device up to the people and the policies and the procedures that are being run in the environment To think that you can solve your security problem with any one of these layers being super super solid It's just a fallacy and it's going to get you in a lot of trouble most hacks actually occur at The very top of this the policies the procedures the awareness the people the human aspect is the the greatest vulnerability to security that we have This has been recently updated, which is awesome. This is the 2017 edition which came out at the end of 2017 But this is the OWASP top 10 if you want to look at Where do I start? What are the what are the table stakes that I need to be looking out for? These are then we won't go through them in great detail because we have a lot of content to get to But if you go to the OWASP They actually have a github page where they have the PDF and full explanation of every single one of these attacks How they occur how to protect yourself against them and to learn more about them So I highly recommend that you go there One of the ways that we like to consider security is in this CIA triad and despite the CIA name It doesn't have anything to do with the government agency It simply stands for confidentiality integrity and availability now the first two people readily associate with security Confidentiality being things like avoiding information disclosures keeping private information private protecting PII Integrity is around the idea that if you download updates for your laptop You want to make sure that no one has nefariously injected an app update on the network and modified what software you're going to be installing That's integrity because integrity is Often an important concept when the information itself is not private, but it needs to be authentic But the third one is what a lot of people miss which is availability if your site doesn't isn't functional Or people can't get their job done or Otherwise something is standing in the way of achieving business value of a process Then all the security you could possibly be assigning to it may not be that valuable because an e-commerce store that you know knocks itself On offline because of some security measure that they put in place It might be great at protecting credit cards, but it's not great getting any the So it's important to balance all these concerns none of these three is particularly more important than the other So one of the things that I've been talking about for a few years now is how much HTTPS matters for sites How many people in here are running their sites on HTTPS today? It's getting better and better. This is we're starting to get like 90% plus For any remaining sites that are still using HTTP or maybe you have a mixed environment of some HTTP It's undermining the security ranking and a functionality of your site Yeah, just to sort of add further marketers. Maybe you just mentioned this but like HTTPS you rank higher and Google so it is you know not just important for security, but your marketing teams will thank you You also get access to HTTP 2 which is locked behind HTTPS and most browsers even though it's not an intrinsic part of the spec Most browsers like to treat HTTPS as a carrot where you get additional features You can use on websites by using HTTPS And the advantage of using something like HTTP 2 is that you can sometimes get better performance depending on how you set up the site So it's not even just necessarily a performance burden to get higher ranking It also unlocks some capabilities that might allow you to get better performance than you otherwise would However, it's important to deploy it properly the Google cares quite a bit about how long it takes to actually get the time to first bite on a piece of content and Also, it's how things kick off the race of loading a site and this gets more into that sort of availability heuristic in the sense that You have to have the information be available it has to be accessible in a way that's compelling to your audiences and Security that you layer that undermines the actual functionality of the website or performance of the website Which directly bears on its functionality isn't always a good move So it's important to do HTTPS, but it's also important to do it right. I don't want to go into Too many details, but we'll touch on a few of the deployment concerns around it One of the things that you need to think about is is around And we should probably skip through a few of these not like quickly but Because I don't want to dwell on this too much because I I've covered it in some other talks, too but basically Browsers are talking to servers. They're negotiating this connection by putting servers close to the users it allows you to Negotiate that connection faster that it's like going to a neighborhood store versus going all the way downtown or going across the state but the one of the big benefits for This in your deployments of sites is not just in terms of conversion rates and load times, but also There's there are competing factors with HTTPS in terms of how you deploy it versus Mitigating your exposure to things like denial of service attacks. So all of these considerations of Let's see just a lot more than I remember in here The So I'm happy to go through them, but I'm just worried about burning too much time The yeah, let's Let's skip that and let's do this. Okay. This is what I really wanted to talk about because so When you're deploying HTTPS one of the things that people often do is it's easiest in many cases to just deploy a certificate to a Single server you get your HTTPS you get your like Google ranking boost for it for it but there's a competing concern around availability and Integrity and Confidentiality when you're deploying a system like this because if you deploy it as a single point of failure and you concentrate your security on One end point that happens to host your HTTPS You also make yourself vulnerable to denial of service attacks which have grown massively in the last couple years There we go in fact the largest one to ever have occurred occurred in the last two months And it occurred at a rate of what it was at one point four Terabits yeah 1.4 terabits per second and there's no real single server that can just handle that kind of traffic So it's important to balance these concerns and what I usually recommend is deploying HTTPS to a CDN You can get free from Cloudflare a lot of almost every other credible CDN has an option for you to deploy certificates even if it costs a little bit and That ensures that you're actually balancing these concerns that you're not undermining the performance of the site You're not undermining your resilience to denial of service attacks and you're delivering good confidentiality and integrity of the pages to the people who are visiting the site So When things go sideways, this is something I like to talk about with folks and you really need to be able to prepare for this Because what you want to have is monitoring and alerts you want to have team code reviews You want to have processes in place that will catch an issue before it goes out Because we're all human. We're all gonna make bugs in our code if anyone thinks that they don't write buggy code I'd love to talk to you and have and hire you because I do everyone on my team does So it's more monitoring alerts. How can we find that and fix it before it becomes an issue or before it becomes exploited? but when it does And I've had to deal with this with clients I've had to deal with this in a number of ways is I always I always go back to the three the three bees First thing is backup And this is because you want to do a postmortem afterwards. You want to be able to go back and say what happened? Why? And and fix that whatever that was in order to make sure that it doesn't happen again So backup even the the infected code back it up Isolate it push it away second thing is breathe This is the thing that most people forget to do they start panicking and freaking out like the whole the whole rooms on fire you'll make more mistakes in split-second and and crunch time decisions then you would if you were to just let it sit out there for maybe five ten minutes and Gather yourself figure out what's going on and then deploy your procedures You may actually amplify the attack or amplify the exploit by just yourself trying to react to it and then the third one is build And build again and again and again and again with your team have that postmortem One of the most powerful postmortems. I've ever seen is how many people remember It was about two years ago when s3 went down and pretty much the entire web just started freaking out That was all because a single developer fat fingered a command which was supposed to clear out a couple of buckets in s3 He ended up clearing out all the buckets in the east coast And Amazon came out and said that issue wasn't his fault It was ours for letting him to be able to do that And I thought that was a really really powerful postmortem of not blaming not pointing the finger and saying how dare you run that command You shouldn't have done that they looked at it internally and said why did we even give him that power to delete all of s3? Right and then oh, why did we put so many of our systems on there without redundancies, right? So it's that type of postmortem that you need to look at when something like this happens It exposes the the flaws, but it allows you to fix them and make it better And that's what that's what's important to go go on and go on Which to highlight is The most recent issue which we had a few weeks ago First off this is yasper By this guy the drink of his choice if you see him yasper are you in here by chance? I don't know if he's here One of the awesome things is that yasper is part of the community and this was found as part of sponsored Security reviews his his employer actually sponsored his time to to review this Review core and find bugs and I think that's an amazing Testament to what our community does and the the community of Companies that we have around In case anyone's not familiar with the vulnerability What happened is is that Drupal's? Renderer ray has a code execution vulnerability as you might be able to tell from the patch related to some of the pound sign stuff And so Drupal core has implemented filtering around some of the The potentially dangerous parameters that could be injected And so core As you as as david mentioned It now has a general sanitizing function One of the interesting things about this is that rather than Specifically fixing the one exploit which almost highlights that exploit and allows people to build on it faster This patch was actually a more general one And the the release and the notes around the release were more general And I I attribute the lack of immediate exploits and further exploits to Kind of the vagueness that's around this and that You know once everyone's patched and once we're we're You know confident in that as a community then it's okay to go talk about what went wrong and why But in the meantime vagueness of we weren't sanitizing things now we're going to sanitize things better I think that's good and that that helped prevent the the Automated exploits that we saw back in 2014 with the sql injection Also patch your sites our statistics show that only about 40 of Drupal eight sites have been patched so far So one of the one of the awesome things was to watch. How many people were in twitter slack Wherever on patch day It was actually really fun. Like there was pizza. There was beer. There were donuts depending on what time zone you were in Everyone was like posting memes and and videos And we all had a lot of fun with it And then once the patch released and we were all d dosing the server trying to get that patch Once that was mitigated Everyone patched that was online and they were it was awesome to watch the whole world kind of roll that out And then david can talk to but a lot of the platforms were able to mitigate instantly against exploits so if you're on a hosting provider that is Focused on Drupal and has a background in Drupal or or folks that are on the Drupal security team They were able to get in and patch at a platform-wide level to give you that time to go and patch So you were you were protected and and these measures by time. They're not designed to Correct supplant patching But it does allow us to collect interesting statistics. I was basically constantly looking at the stats around what Traffic was coming in matching the filters that we had put in place and we actually saw some old exploits match the filters Not a whole lot of legitimate traffic But we hadn't at least as of days into the release Seeing anything that looked like a credible attempt to exploit sao2 and I think that it goes back to the vagueness and the communication from the security team In releasing the ps a making sure everyone was aware and that everyone was patching right away A lot of the times hackers and and script kitties and whoever they're looking for the easiest door to knock on Also, I wanted to compare against what happened with sao5 and was that 2014? I think yeah That was exploited actively within seven hours of this release of the security patch, right? and so When a when a hacker is looking at Going out and automating an attack Many times they're they're knocking on doors knocking on doors and if one opens then they'll keep on going through it And I think the fact that a lot of the major platforms were we're doing platform-wide mitigation prevented Some of that automated scripting from being able to occur so quickly But one thing you have to think about if you're not on a platform That's just hosting your Drupal site Is where are you putting your site? And a lot of the times the marketing team will just say hey, we're just going to throw this in there And the it team knows where Their servers are so they're just like, okay, we're going to dump it in here And if your marketing in brochure wear site is sitting next to the rest of your entire business A small exploit in your marketing or brochure wear site will now exploit everything else that's inside that that environment Yeah, and if you visit a site like wiki leaks, for example You can see all these dumps of emails on there and almost all of them Were captured as a result not of hacking the email system directly But by getting a foothold through a more public presence like a website. That's how the panama papers happened That's how some I believe some of the hacks on the democrats happened the And it's definitely how Some of the other attacks happen for some of the email dumps probably at least four or five of the ones on there I've I've verified it is like coming through a path like that So, um Excuse me One good thing to look at is having Authentication before application if you are doing an internet or something that's going to have private information on it Rather than exposing the the public website or the website to the public and then having people log in Put your authentication in a layer one above the application and that A lot of the times is a SAML or if you have some sort of um, you know Open directory or some sort of a list inside your edu or enterprise I have I always joke I have a a forehead sized dent in my desk from SAML It's it's not easy to work with But it is very powerful at being able to put that that authentication layer one in front And it also adds single sign-on capability. Um, and there's some great modules for Drupal for that Yeah, and there are some alternatives that are starting to be available as SAS products now Like google has the their identity aware proxy that they call it And that allows you to To proxy stuff to the application only if someone has passed the authentication gateway And I think cloudflare has a product now along those lines as well that Allows you to basically wrap the app and not send a bite of traffic until it's verified as at least a And authorized user of the system even if their privileges may vary And this speaks to the power of using social or enterprise logins Drupal's login and and password security is good. Um, however I always say these companies and products have more time and budget to spend on just solving the password and two-factor Authentication than you probably have for your entire year on the website So why are you trying to do something that they're already doing better? Um, and and you may as well allow them The the or allow your users the flexibility and the ease of use So facebook google, uh, twitter Those all have, um You know social logins one thing to highlight is one password did just release one password for business Which allows your entire business to have to give out license on a per user basis And then it gives each user one password for their family as well And and I think that's really interesting because not only is it promoting good password practices in the business It's promoting good practices. Excuse me. Good password practices at home, which, um, help re Reassure that that that folks are getting in that habit. They're not just doing it at work and going home and using the same password 20 different times. Um, and so Definitely look at these And and if you're not using a password manager do it the best password is the one you don't know the um So I just want to add one more thing on that The so one other thing that is interesting about working with some of these social login vendors is Um, as a result of kind of facebook and google is like all knowing i of saran In terms of like where our devices are and all of our, uh, data Is that they actually have really good heuristics on when a device is not ours When it doesn't look like it's in the right place at the right time or that you did some interactive thing in Nashville and then another interactive thing in Um, in germany within 10 minutes, uh, isn't plausible So they know information like that and they actually use it as part of their security and your website will never have enough information To be able to provide some of the heuristic security measures that they have in place Yeah, excellent point and um Like I said earlier It's the people the policies the procedures the awareness That most often leads to the exploit And so you want to be able to secure your team, uh, you know get good policy Around uh sign on and and passwords The one thing that I push for for a lot of teams is keybase keybase.io It is like slack but encrypted And it also mixes in a little bit of dropbox where you can have an encrypted file share as well That's either private or via team. And so, um, this prevents the hey, what's that password? Can you just slack it to me? Or god forbid your client sending you the root password to their server via an email Which I've had happen. Um, and so I just now tell all my clients Before you send me anything sign up for this and then that's how we're going to communicate And then last but not least it's just that that security consciousness you want to have Constant reassuring That you are secure that you want to stay secure and that you're going to do these steps to be secure And and keep that as a as a top of mind not just oh crap. We're hacked now. Let's go be secure and and put on our security hats And then just started a follow on the comments on authentication. Um We haven't really gotten too deep on Keys yet, which we will But uh, I thought that this was a pretty interesting quote Our review has shown that a threat actor obtained access to a set of aws keys and used them to access the aws api from an intermediate host with another smaller service provided the us through the aws api The actor created several instances of our infrastructure to do reconnaissance. So basically what's that what that is saying is Api keys you have them all over your site if you integrate with third party services Those should also be treated as sensitive information and protected um And let's see uh And one of the the things about this is that this breach is again getting your foot in the door and then expanding elsewhere If you have uh, this was an over provisioned aws api key And if you have an over provisioned role inside of aws and you use that api key to do just You know your s3 storage on your website, uh, and somebody gets that key They can spin up. They can get all your encryption keys. They can get into your databases And in this instance, they're actually able to spin up EC2 instances inside their vpc that then allowed them to do reconnaissance on data inside And so when they came out they basically had to say we don't know what was gone But they had enough information enough access that we can assume that everything was gone And just even to follow up a little bit more on that, you know, we mentioned protecting apis keys can prevent unauthorized access to web services But uh, you know developers need better control over private keys and api passwords. So like For example, what if a disgruntled offshore developer decided to send a mass email from you? You know, you have to have a segmentation there um Also bank info of security, uh, recently did an interesting article saying, um, that mcdonald's The fine gourmet restaurant Has acknowledged that a leaky api expose personal information for users of its mcdelivery mobile app over in india and the flaw expose names email addresses phone numbers home addresses and sometimes coordinates of these homes as well as links to social media profiles and this was also what We recently experienced with panera Panera's delivery app Had an open api That wasn't authenticated. It wasn't behind any side of inside of any wall or anything And you could basically go to it and put in a user ID and get back a piece of information That you could just iterate through that because all the user IDs were sequential And it it allowed you to scrape all of their customer data addresses phone numbers email addresses all that The one thing to point out there is that they were notified of it eight months prior to it being public And they did nothing until about two days before it was prior Before it was made public and even after it was made public They still didn't do things fully, right? So If you do get a report from somebody or an anonymous email saying hey, you have an exploit in your site Take it very very seriously And and one other thing we've been talking a bit about api keys, but Also encryption keys are really important. You can be encrypting data all day long And if you aren't properly managing those keys, it's sort of like leaving the keys to your house Underneath your welcome mat There's a suite of modules we can talk about them later, but You know Places that the modules want you to put them or things like your config file and you know, it's just really not secure And further and I thought this was pretty interesting PCI for people that are familiar with that the payment card industry They Just released some cloud computing guidelines And it was published this month And I thought it was particularly interesting because they were describing services such as like I don't have to list those but But one of the things they said is a strong data level encryption should be enforced on all sensitive or potentially sensitive data stored in the public cloud And because a compromise of a provider could result in unauthorized access to multiple data stores It is recommended that cryptographic keys Used to encrypt and decrypt sensitive data be stored and managed independently from the cloud service Where the data is located? So, you know, if you think about like cloud service providers offering, you know, their key management as a service, you know You really want to put all your eggs in that one basket the uh, and um And one thing that I also like to say about the keys is that if your key is accessible under exactly the same terms as the Data that it encrypts and decrypts that is security through obscurity Because you're just creating one extra step Toward actually getting access to that data and that extra step doesn't involve compromising any additional systems Right. So, um, I've seen often modules, especially in triple seven I've seen it in wordpress and elsewhere Where they will store an encryption key in the variable table or the option table underscore like It's encryption underscore key equals value and that's in the exact same database that the the Encrypted data is in That does nothing absolutely nothing and it's super easy to find And then you have to think about What are you going to be encrypting and how are you going to be encrypting it? Luckily over the last couple years. We've had a really good team working together to update a whole swath of Encryption modules So now there it should not be an option of or a question of you know, should we do encryption or should we not? I don't know. It's too difficult There really are a lock set number of modules around encryption now that should make it that If you are having to store a sense of information, which you if you don't have to don't But if you do you should have the tools at your disposal now And further just wanted to kind of dive a little bit deeper into this because a lot of times people Say, well, I don't take credit cards or social security numbers So I really don't have anything that needs to be encrypted and that's really not the case You need to be asking your clients the right questions and and provide them with security that they're expecting and some of the things that They might not think it is considered personally identifiable information is things like your full name or You know your digital identity your date of birth A lot of times these are ip addresses. These are things that like your marketing software Or you know if you say as you know, give us your email address and we'll give you a white paper Your marketing teams do this all the time that information actually is considered pii And one extra thing about this is You know, we're a community projects get passed from shop to shop You'll end up inheriting websites from other shops Don't just trust the other developers that they are knowing what this personal information is and that it's being protected I can speak from experience about a week ago We found a directory inside the files directory That contained a whole bunch of passport numbers that was publicly accessible Because the previous developer migrated it from a WordPress site and forgot to take that back out of the files directory So you you will get left those little easter eggs and make sure that you're looking for Fields that have these names or others that kind of set off Some spider sense and say my maybe we should be doing more Sorry one more thing on that Also, if you have if you allow image uploads by public users of a site There are now ways to automatically redact Pii on things like images using services like Some of google's machine learning tools. They actually have a pre-built machine learning system that basically You plug in images and it will just blur out pii like credit card numbers check account banking account numbers Probably like passport numbers things like that and I know that sites that allow users to upload images Especially if they get published publicly are often at risk of distributing pii inadvertently And you know, we're not really going to spend a whole lot of time on compliance, but Uh, I did really want to talk about gdpr just for a second Since a lot of people are buzzing about it. Uh, shrop actually did a really great session I think yesterday or two days ago on it. So you should look for that on The recordings if it's interesting to you, but a couple things worth noting Under gdpr, which is the eu gd or general data protection regulation It says that Security requirements apply to both data controllers. So those of us who accept information With permission as well as data processors such as like a cloud service provider or other infrastructure as a service offering And additionally if data flows through your systems, uh, you are considered a data processor even if you don't use it And uh, one of the other things that I thought was pretty interesting, uh, is article 17 the right of erasure Also known as the right to be forgotten. So that's basically saying that someone can say I don't want you to have my information. Um And that could that can prevent present a lot of challenges if you think about it But one cool way going back to the keys Uh, what if you were able to assign each person their own encryption key? And then when they say that, oh, I don't want my information anymore Just delete the key and uh in the cryptographic world that's referred to as cryptographic zeroization And it's an effective way to do that and it's also covered by uh standards And currently chris. I think there's a module being worked on to do that. Yeah, so the gdpr module Um, my team is actually working to extend that to have a method that will allow you to do A key per user and then one key per site that wraps it and And then does a rolling every time that somebody requests to be forgotten one interesting part about this is that The right to be forgotten Becomes very very difficult in our massively backed up world, right? So we have all these backups that are sitting on locals that are sitting on You know cold storage and and some of them are hot backups How do you effectively erase somebody from everywhere in existence? And the answer to that is you cryptographically zero them out It's the exact same method that apple uses to remote wipe your phone. They're not actually wiping the data They're just wiping the key that's used to decrypt the data that's on your phone. Yep. Uh one additional note on gdpr When someone requests that their data gets deleted There's a 60 day window to actually delete the data So you can also make systems intrinsically compliant If you ensure that things like logging systems never retain data for more than 60 days There are also some exceptions in the standard for if another standard regulation Requires that you retain something for longer You can make sometimes make exceptions to gdpr It is designed to mesh with other standards not to just Have to stand on its own Correct and also actually before we move on one thing that I don't think we said yet And if you're not super familiar with gdpr and you hear us talking about the eu it actually covers If you're doing you know collecting information of anyone in the eu you don't have to actually reside in the You don't have to have a business presence inside the eu or the uk In order for it to apply to you if you are touching the data of any citizen that is covered by the gdpr Then you're needing to um Keep yourself to the the regulations. Yeah, but again shrop did a great session And and I highly recommend checking that out if you want to learn more Uh, and we've been talking a bit about encryption. Uh, so we'll just kind of cover this quickly, but uh, you know There is no native way to do to encrypt data and drupal. Um, however, there is a great suite of modules encrypt key Field encryption and file encryption. There's there's a lot of them Feel free to come talk to us after after that. We've you guys have worked a bunch on it. We've sponsored a bunch on it so But a couple things worth noting when you think about encryption Um NIST the national institute of standards and technology Validated 8. Yes encryption means that you're provably encrypting data correctly, which is very important for compliance I saw a stat somewhere that like half of the Encryption implementations that go to nist get turned around because they're not done correctly So it is important to consider that Um Also, you know, we we talked about this briefly, but it's worth mentioning again Hackers don't break encryption. They find the keys. That's why it's really important to separate the encryption keys from the data that they protect Um And let's see and finally, you know, you know with keys make sure you're storing them and managing them separately you know, they the hackers find the keys and For those who need to meet compliance Encryption and key management are very important. I'd also like to give a shout out to libsodium being now in php core That is an excellent suite of cryptographic functions and utilities that mostly keep you on the rails to do things Correctly and don't let you make too any dangerous decisions um These are a couple of uh, they should be no-brainers But I just wanted to mention them as well here towards the end. We'll we'll kind of cruise through these and get to questions Make sure you keep up to date Like we had recently if you're not patched yet go patch now Literally stop walk out and go patch Because it is something that you need to do right now but if you The nice thing about some of these continuous delivery systems that are being integrated into some of the hosting platforms So you're able to bake on your own Is that when a patch comes out like it did a few weeks ago You can just press the pass into the continuous pipeline and it rolls itself out and all the tests are done You know that everything's been properly rolled out and and so Invest in that because sometimes not on this one, but sometimes exploits come out very quickly the other thing is Within the cms is the the core of the cms This the the core security team is is top notch and they keep core pretty safe And they have an absolutely insane job of trying to keep contrib safe as well And you know Drupal we have a good number of of modules wordpress There's a ton of plugins out there And most of the vulnerabilities that are are seen are actually seen in the module Layer or in the contrib layer not in core in When we talk about the severe ones you know High criticality comes across every you know once every four years or so Where a high criticality in contrib happens, you know every few weeks Almost it seems and so be sure to choose your modules wisely look through them Make sure that you're you're familiar with the people or the code if you don't review it yourself before you release it to live This one should just be a given if you're not using git already do it don't cowboy code Where you just you know I call it push and pray and you just sftp into the server and say oh You know we'll do it live and just push it out It's just a horrible way to do things and the nice thing about git is that when you're talking about Some sort of You know remote code execution or if they have access to your file system and they start uploading their own files You can use git to see what they've uploaded. You can easily revert and you're often and running And so with that we'll open the floor to questions They have requested that we use the Microphone in the center of the room here if you have any questions If you don't want to use a microphone We'll echo back what we hear. Oh, yeah, and one last thing Part of why I skipped through some of the cdN slides is I provided a talk yesterday That's also available online that covers in depth all of the issues around integrating cdNs and https for your deployments So, um, I just wanted to let you know that if those did interest you They are covered extensively and available online So I just have a general question about cdNs My employer and I we don't really leverage them But in a critical reason why we have not really liked it in the past is that We have a lot of information that that at least needs to be protected at rest Not necessarily encrypted, but at least protected at rest And it's never been clearer to us if there is a way to do that Do you know if there is a way to to protect it at rest? So, um, I know fastly as a cdN has options built in on every plan level that you can enable That allow you to achieve HIPAA and PCI compliance on their infrastructure By ensuring that the data never gets written in a persistent way at rest on their infrastructure So it allows them to be in the middle Without ever persisting it to disk. They will keep it in memory if you tell them to cache the content Of course, they won't cache it if you tell them to not but, um There are pretty extensive options there and there are other cdNs as well that can that will fit in with your compliance goals and if anything they should improve your opportunities for compliance because Things like PCI for example have ever ratcheting requirements around HTTPS like TLS 1.2 became a requirement recently They have cryptograph like cryptographic algorithm requirements. They have certificate signing requirements And working with the cdN that is ratcheting its infrastructure up to keep up with that compliance burden Will help you keep that at arm's length Okay, one other one other note on that is Some cdNs, um, I know cloudflare Did this at one point. They allow you to choose whether or not you want the Connection back to your server to be authenticated or secured Always choose that because it defeats the purpose. Um, it was it was You know, it's easy to say. Oh, the cdN is giving me an ssl cert and I get the shiny little green lock in the bar But then the data is trafficking back to your server, uh unencrypted. So make sure that the ssl Follows all the way back to the server Of course, thank you. Yep That's actually good segue. Um, hello, my name is Steven Hughes. I'm from texas. Um, I worked in cyber security prior to joining the state of texas So I wanted to touch on a few points and kind of further the dialogue a little bit One thing I've seen in the enterprise space. Um, I work, you know, government agency Is that setting expectations isn't always done well And with regards to encryption, um, I wanted to encourage others to maybe set these expectations for clients of Of, you know, mid market and larger websites Into end encryption is what we are seeking when you're dealing with load balancers and firewalls Because the word encryption is a little vague and you know, some people feel if they got the hgtps in place, they're good game over But you can also do packet sniffing and packet sniffing is something that the you know is dangerous on the enterprise scale Especially with amazon, uh, aw2 So I was curious touching on that a little bit. Do y'all have any any advice or any sort of, um, You know topical, you know debate debate with regards to end encryption and how that How those expectations could be set and understood by stakeholders because Every time I've mentioned it to a client enterprise scale, they're just like shocked like what do you mean? We have to isolate servers. What do you mean? We have to do these things and and I have to, you know, instruct them like, yeah, it's expensive But it's also more expensive not to do these things, right? I think it's important also to define what is meant by end end encryption in the sense that There's encryption that is end to end in the sense that it encrypts on the first device and no matter how many other devices It passes through it only gets decrypted on the final device That is one way that people conceive of that but I think that's one of the less balanced approaches when it comes to web security because You actually really want to have something like a cdn as a middle cdn or a firewall or a A load balancer as something that is decrypting and then re-encrypting the traffic Because you want it to be able to inspect things so that you can put in place things like WAF rules So that you can block denial of service attacks based on their patterns If you do true end-to-end encryption in terms of all the way from the origin to the web server You minimize your security tool set in other areas So what I usually advocate is Is encryption every step of the way? and then Occasionally that last step, especially if it's on a trusted network may not be encrypted and I think that's often okay, especially if that area is firewalled I would also like to add you know Encryption at rest is you know, obviously important as well But one thing that I think is often overlooked is you know Don't trust your users. You never really know what they're going to upload either So, um, you know, we've worked with people that say like, you know We have a comment section on You know that contact us crazy stuff gets uploaded there that you don't want to be responsible for yeah, and um There's two aspects to end an encryption or just encryption in general a lot of folks think oh, I'm trafficking pii. I have a hdps I'm okay Wrong because that just protects it in transit. You also have to protect it at rest or wherever it goes And so there there are two very important aspects there The green bar in the top just means that you're talking to the user It doesn't mean that that data is actually being trafficked safe and there's that as a user be aware of that as well If somebody's asking you for private information Just because there's a green bar there it doesn't mean that it's actually being stored at the other end properly And so it's important to look at not only each step along the way for end end to end encryption But then also to think about what's happening with that data that should be encrypted at the other end And one thing that you can do that's even better than just encrypting it at rest is to not keep it at all If you have that option. Yeah. Yeah. Thank you guys. Yeah Hi, how you doing? I'm michael good. I come also from texas Yeah, my question is so my it's kind of a general question about uh Drupal admin and production right and so there's this Holy grail, I've always been going towards of like you want a production instance where we can Disable all the admin users Disable everything that has to do with Changing the site in production right turning off modules turning off rolls ui views ui Admin menu all this stuff right so that when you have you can have all these contrabs But then if a security advisory comes out you're looking at it You can see it's critical But it it only it's only relevant if you have if that's enabled in production, right? So it gives you a buffer for mitigating The issue and I thought we were really moving towards that But um increasingly like I'm getting pushed back Where people are talking about like we're going to be editing and production again We're going to be doing editorial work in production and I know on a smaller scale probably almost everybody does Some degree of editing and production But I wanted to get your like sense of the state of like How how many people are actually not are have no editing or configuration change in production How common is that at this point? So there there's a really good module for that. Um, that's configured only With Drupal 8's config management system It will track obviously all the changes and it allows you to move those changes up in the environments It allows you to also lock Certain environments and say This environment is read only Um, which means that modules can't be enabled or disabled It means that certain um anything that's stored in config cannot be changed So somebody can't go in and change the email password. They can't do all that It doesn't lock down the content content side of the house this word But I would I would push back on that and say that the the content could and should be updated in the live environment Because trying to synchronize databases between Staging and all the way up becomes a very difficult Thing to do, especially if you have users that are being created by the site And it's it's all independent on on the site by site basis But if you lock down the config portion of it and you have some workflow moderation around the content So the content can't just be created and pushed up That there are you know parties notified in the in the meantime I think you can you can have that blend of Securing the config and still allowing for editorial freedom content on but it does require that all those con those Content editing admin modules are enabled in production in order to be correct and I do I agree that I think I agree with chris that like I think content editing and production is generally appropriate especially for certain use cases What I would recommend is if you really really want to lock this stuff down One option is to go with more of a decoupled front end And then you expose that decoupled front end It's only able to access the apis to actually do read only content You can basically set it up where it can only do get requests For the the Drupal Rust apis And then you can make the Drupal instance itself protected by something like that identity aware proxy or a SAML thing like that So that you actually do lock down the editorial access behind a layer that is not Drupal And then and then that combination of those two things that This decoupled front end has read only access to the cms instance And everyone who has direct access to the cms has been authenticated through another layer Would allow you to establish a lot of the guarantees you want without literally locking down editorial production in live And I've worked on a few large-scale enterprise sites that have Multiple layers. It's a decoupled site and it has multiple layers of caching as well And that provides another great kind of firewall against Somebody pushed content out not necessarily in a nefarious way, but just content They shouldn't have or something got published It'll take an hour for that to actually reach out to the front end decoupled app And so you can kind of catch it in the meantime as well so Jason again and the I just wanted to share a different pattern that we've been using so We have the acquires on demand environment And I know they're supposed to be kind of used for continuous delivery stuff But they let you keep them up for a long time. So what We have been doing with that is We allow our Or you know content power users basically they're basically we call them site administrators So basically on these on-demand environments, they also have emin privileges They are protected by samu like you you can't they can't even see the Non-missing unless they get through a samu gate first And but then they get full emin rights and then they could poke around as much as they want And then like hey, I have it in this state And then they come and talk to us about it and we will Get it in to get and push it out into the into an upcoming release. Yeah, there's a lot of a lot of I think the config management in d8 and then what drees was talking about in being able to have kind of this config management 2.0 that's going to be worked on where each environment can be tracked separately I think that's going to start allowing us to lock down the live environment more and more and more And keep that config from being changed around our biggest pain point is that for menus and texanbis configuration and content are Right Not cleanly separated. Yeah. Well, it's um I mean, I I I guess I would push back a little bit on that in the sense that I do think there's a clean separation I think there should be but there's not no what I mean is I think drew bull imposes a clean separation In the sense that some things are very clearly defined as config and some things are very clearly Defined as like content in the database and that line may not be drawn where you want it drawn In terms of what's considered what's on what side of the content line versus the config line Um, and I think that there have been some debates around like how much we should Accommodate that gray area in the sense of should we be able to embed some content in the config management system Or stuff that is treated as content by Drupal's Kind of own system Oh my take on is anything that gets exported to a yaml file Is config yes? Yeah, I don't think it's any more sophisticated than that. Yeah. Yeah Okay, thank you All right. We got time for one more question and then we'll uh, we'll have to get out of here Lacey from unc charlotte And actually had two questions if I may real quick. Um, you mentioned storing api keys But what specifically do you do to secure those? Like as being on the web server outside of the dock route enough or And another mechanism that encrypts them I I don't want to turn this into a promotion, but my company actually does that. Okay. That's our product So Yeah, there are options out there Not just our product but um, but in general. Yes, um encryption or api keys tokens anything like that The key module in drupal 8 we built purposely General and extensible so that you can use other storage mechanisms wherever you want There's now storage mechanisms for amazon Kms and some of the amazon services which I would only recommend if you're actually on amazon environments And you're able to use internal roles in order to authenticate to those Otherwise, you're gonna have to use an api key to get to kms, which then defeats the purpose of having kms in the first place um But the key module has a really cool feature that I think is under publicized right now is It's a config override generator And it will allow you to go into a series of drop downs and you can look up every single piece of config And say I want that piece of config to be managed by key now and it'll create an override An entity override Or an override entity Store that in your config and then that allows key to then kind of hijack That that line in the config to do whatever you want and then from there you can store it in You know a dock route or outside the dock route It's kind of the most convenient, but again, it's still in the same environment Ideally you want to put it one layer out Okay And then the second question is about the end-to-end encryption from the web server to an external database And you mentioned that if it was in the secure network, it should be okay We have some people in our security group on campus that still Want the database credentials to be encrypted? How like what is your stand like total database encryption? Yeah, and how would that impact the performance of I mean there's encryption at rest for the data on the database And then there's encrypting the credentials that are used to access the database about the credentials credentials I mean, I would probably start like so at least for my sql For encrypting credentials I would probably look at some of the x509 off stuff that they offer Because you can do things like have the x509 certificate be encrypted and require a password to unlock And then that is used to actually authenticate to the database server But it then becomes a question of how does the cms get the actual password to the cert or a key to the cert to the cryptic And if that is available under exactly the same circumstances as the certificate then it's security through obscurity again If you can actually isolate it more Or do some people who want to have a really paranoid set up have a thing We're like literally when you boot up the system someone has to key it in and it gets stored in memory in an ephemeral way That's one way to do it You could use a key management system to be able to unlock that but you could also just store the credentials to the database in the key management system And you would have a similar effect of auditing the access to it But I will say that that there might be some performance issues around that. I was gonna that's exactly what I was going to highlight is that Encryption decryption is now Happening fairly quickly, but it still does add compute time to whatever you're doing So if you're doing that on every database connection, you're just increasing the amount of Compute that's actually necessary in order to bootstrap Drupal but then also If you are using an external key management system By nature of it being external it's going to add latency into the process And so you want to have it in such a way where you're you're accessing that, you know once per bootstrap Maybe twice per bootstrap at max Not a bunch of times and even then ideally not every bootstrap Because a lot of those external systems like ours they cost money And that then racks up a giant bill that you don't want to pay But getting getting back briefly to like the security through obscurity question The test that I like to apply to situations like that is I want at least one story Of how the system could get compromised where the separation would actually allow That particular compromise to be less severe And if if if there's no particular method of compromise that is mitigated in the sense of not mitigated in the sense of like Figuring out what to do to finish the exploit in terms of oh, I need to decrypt I have this key over here and need to decrypt this thing over here That I have both of them. I'm looking for situations like okay Um If someone say got root on your web server, does this does this help with that compromise? If someone gets execution capability within Drupal does that are like on php. Does that Does that mitigate that compromise like I would be testing it against those things because it's really easy to add additional layers of security. They don't effectively Actually contain their relevant attack paths And that that's really what I would be asking Okay, thank you. Yeah, sure and just a quick reminder. Uh, we don't have the link up here, but rate the session it's it's valuable for The people that scheduled Drupal con in the sessions and uh, we read it when we present again. Yeah. Yeah. Thank you Thanks Sorry to go over those other slides like I forgot that it was like redundant with my other presentation No worries, and we always have we always like have more than enough content full-time. Oh, I know we did a pretty good job The nice part about it is that they're just captured in the video capture so people can look at them If they want to and we don't necessarily have to okay. Yeah, it's i'm fine publishing them all night I just didn't want to dwell too much on the performance aspects. I think we had a great pace. I thought Yep, yep Those are mine Is this what you call Yeah, there is no such thing I