 Hello. I'm Kim Pepper. I'm the technical director and co-founder of previous next and the skipper hosting platform Today we have some great lightning talks for you So we're gonna sit here from Nick shoe who's going to be doing some tips on improving Infrastructure security. We've got Hasitha Garughe Who's going to be looking at better key management in Drupal? We've got Chris Burgess who's doing a talk on dependency track and finally we've got Steve Kuchin Who's doing security considerations? For Drupal programming and we hope to have some time at the end for Q&A So please post your questions in the live Q&A tab and Without further ado, I'd like to introduce our first speaker So Nick shoe is the systems operations leader previous next and architect of the skipper hosting platform He is passionate about Drupal Kubernetes and everything in between so take it away Nick Hey everybody, how you going? Happy Thursday, so I'm gonna be running through a lightning talk covering a couple of I Guess areas that I think that folks could improve on with their stack and just kind of start the thought in your mind about this Kim already introduced me So I guess all that's left is my Twitter handles and my and my lovely face So but I'm operations leader previous next and yeah, my day-to-day is Kind of covering a lot of these aspects that I'm going to talk about here. So Let's let's get into it. We have a lot of content to cover this session. So So the first first area I want to cover is understanding interactions So I think this is a bit of a bit of an interesting area because it's about understanding what kind of traffic is coming into your stack Who's interacting with your sites? Like it's very important from a business standpoint that the business knows what features are being used what things as You know, like are they using the search feature? Are they contacting us? Are they falling, you know falling off the site after 30 seconds? Like those are all important metrics the same thing goes for infrastructure. I don't think we do enough of this We don't really understand what type of interactions actually happen like who's consuming our website who's viewing our website What kind of is it a bot? Is it a person? Which kind of leads me into my first lovely graph So what I want people to do is go away and think about how they're kind of analyzing their traffic in a very simple way That that'll show What kind of what kind of things are hitting your website by setting up these? four graphs We were able to quickly like with AWS bot control. This will be using AWS. Sorry as kind of an implementation Example, this is what we do and these are actually real graphs, but But in a couple of dashboards and using AWS WAF and bot control we're able to quickly see You know what ratio of the site is bots what's real users what kind of Interactions are happening? Is it you know a search engine going to the website? Is it an actual client? And this is very high-level, but it but it can go deeper. I Thought this was super super interesting like when we turned this on and then you could see like oh What's app or Apple bot or I think Facebook's in there. There's a bunch like that's a lot of stuff Like I it's and I thought this was very very interesting And it's very very interesting to know what kind of things are hitting your website out of kind of the standard standard Interactions because this kind of leads you to have a greater knowledge and be able to understand If things are good if things are bad should things be blocked What should we what should we be doing or is there a demographic that we should be also considering in the future? So that's kind of at the top of the stack the next one down is about locking down code so so we've compiled our you know our Drupal site or we've deployed our Drupal site and Now we want to make sure that that is the that's the truth We don't want things to change Gone are kind of the days of running Vim on an app server or a web server somewhere and changing settings dot php We really need to be able to understand the artifacts and the applications that we're shipping to ensure that the things are okay Here's an implementation of what we've done on our skipper hosting platform This is read-only containers. So the idea is that Developers can't change code, but hackers can't change code. Nobody can change the code Fun fact, this is actually a feature that I helped contribute to Kubernetes So this is kind of my my one that I'm very proud of but but this is very important because in the case of You know like a Drupal get-in or something like that bots can't go and edit you had HT access file and start mining Bitcoin and making money So so there's also that aspect too. So So if you want to continue down this path I highly recommend you either chat to your ops team and and consider how how your code's being handled Is it is it permissions or is it containers in the same vein? We have intruders being able to detect intruders. So This is something that I think has really started to come up a lot with the cloud native Ecosystem and mainly in the form of the Falco project. So so not only do you need to make sure that your code can't be changed? You also need to make sure that things aren't executing bad commands on your infrastructure. So I Think just the reality of a of an application like Drupal is that that you do have to shell in once in a while You need to be able to run drush You need to be able to run chron tabs like if a deployment fails Maybe you need to run a config import again or update DB or cliches like this There's a whole slew of things that you need to be able to do and you can't just turn off the command line For for developers to block this problem out So so the next best thing you can do is have a layered approach not only just have a read only code base but also Have some monitoring around what commands are being executed and when so then you can have some kind of audit trail in this case, I'm using Falco and Here's a really cool Example of something that I didn't know so so in this example The so I guess to start from the beginning Falco is configured to log Commands that are executed within our containers and then it just logs it logs it out to standard out It just logs it our logging system picks it up and then we can query it now For the longest time like I've been using New Relic for you know Many many years five six seven plus years awesome awesome APM software But I had no idea that it was running a Damon until I deployed a bit of software like this I'm like, oh, it's not just a peckle extension or it's not just an extension It's it also executes and fires off a Damon which makes a lot of sense But you just don't know those kinds of things if you're not kind of in the trenches and seeing what's going on So in this example, this is kind of just highlighting the fact that you should be able to audit What's being executed on your environment? So then you can put your hand on your heart and know that you know Things haven't broken through certain barriers in your infrastructure and people are running the right commands on your infrastructure as well And for my final one, which is a bit contentious maybe I don't know for some people others Might have already drunk the Kool-Aid I sort of have it's managed services or more specifically managed cloud services Look at the end of the day If you're hosting infrastructure or deploying an application or you're building a product You could say at the end of the day, you know, we're just hosting a Drupal site but you are like your product is the infrastructure that your developers use and if you go ahead and deploy my SQL and Like, you know and a firewall and a caching layer and all these kinds of things yourself There are definitely trade-offs and one of those is security because it's you know, a small set of eyes versus What I would arguably say is this is this is the product page for AWS And what I would arguably say is you know a much superior company to shipping products and manage and maintaining them and them Running audits and there's there's a lot more eyes on this versus your You know bespoke my SQL configuration So anyway on that note, it's a lightning talk. Thank you Okay, so Moving on next up. We have Hasita better key management in Drupal So he says a PHP and dotnet developer for the last 15 years And I've been involved in many small to life-scale triple projects from version 4 to 9 He's currently working as a Drupal engineer at City of Burundara. Take it away, Hasita And Yeah, it's a good afternoon. All right My topic is securing integrated systems with a better key management process in Drupal So I'm sure most of you or some of you familiar with key management Situations in Drupal or opportunities. What are the ways we can manage keys or handle keys? So I'm just going to briefly Like start What are the available options in Drupal? So There will be a poll Going on So it's asking your question like whether you have ever hard-coded your keys secrets in Drupal or any other platform at least once in your developer life So just feel free to pick yes and no based on your experience I'm guilty. I have done in that past. So yeah That's that's how we learn, right? So I guess most of the developers have done that mistake before so when it comes to things we are handling with integrated systems It comes to keys, secrets, certificates sort of things so These are the possible ways even though they are they can be bad or They are available. So anyone can hard code secrets keys anything in code and then you can store in database and then do a database query and get the keys or secret from database I know all these are bad things and then you can hard code these things in environment file so You know the dot env files. You have these files specific to environments local environment separate file and then for dev environments uat or production environments. There are separate files and keep these key secrets in these files and then hard code in settings dot php when it comes to Drupal specific ways, you know settings dot php You can have separate php settings files for each environment if you need or at least for local so you can hard code these things in there and then another way of doing that is store in files say for an example You are creating a small text file or whatever with the key and then access that file and get that key while you are accessing the third party integrated system and then another way Drupal introduced is configurations right so We can store these keys or secret certificates with Drupal configurations as well And then the other one is server environment variables. You can keep these variables in server as environment variables and then access those server environment variables when you are in that server environment and the last one is storing your key secrets in a third party keyboard kind of thing so Definitely maybe some of you have done that like you have different solutions like Azure is providing Microsoft Azure is providing Azure Key Vault and AWS is providing their solution and things like that. So there are third party providers giving you opportunity to store your keys securely and access whenever you require And on top of all this you can secure these additionally with some encryption method right so when you are storing your keys Definitely you can encrypt these keys or secrets and then use some some sort of decrypt algorithm to decrypt them when you are using to connect with the third party systems So the other one is like What are the available? method especially in Drupal or modules available in Drupal to support this key management So there will be another poll coming up, I guess So that is asking you a question Have you ever used key module in Drupal? There is a separate module called key Most of them or some of them must have used it and that's one of the best modules I have seen to manage keys. So my topic will be mainly about that and I'll be discussing what are the available modules and then finally What's available in key module? So As you suspected my first preference that's the key module and then There's another third party provider called locker. So you can find this locker and It's a third party provider like Azure Keyboard or something you can store your keys with the locker module and then access from locker whenever you need them in your application and then Townsend security key connection. There's another provider providing key management and Azure Keyboard So this is one of the custom modules. I built and contributed to Drupal So this one is connecting with Azure Keyboard and get the Keyboard keys or secrets for you in your Drupal application And there's another one API key manager and HashiCorp if you know already and on top of all these things encrypt so There's a module called encrypt and you can use that encrypt module to Secure your keys or your data inside Drupal any sensitive data in your Drupal instance more secure and there's another encrypt KMS So it's using the encrypt module and it's providing more functionality so I'm next going to discuss what does key module provide so That's my main topic exactly because That's one of the best Modules I have ever seen in Drupal When it comes to key management So key module has three sections exactly one is key providers so With the default module like with the key module it's providing three default methods One is configuration provider so you can basically Keep it in Drupal configuration with the configuration provider and then environment So as I mentioned before you can keep it in your environment variables with this environment provider and then the file provider So with this method you can easily store certificates or anything like private public certificates or anything in a file and Use this provider to manage so Then the next option key module provides is the key types So when it comes to keys or secrets or certificates, there are a few different types, right? So we know There's authentication One username password can be on pin. Maybe authentication again with multiple values Maybe a few passwords or something or maybe more than username and password and another third variable and Next one is encryption. So It can be a encryption Decryption kind of thing and then it's use password things and then the other is Providing like key inputs. So According to these key providers and key types It's offering these few types of key inputs. So one is none. So for an example, if you selected the key provider file You don't need to input any keys because it's a file selection from your server space or somewhere So you can select none or else if you are generating an encrypt key, you can Select generate and then you can select text field if you're adding using a more password and things like that And finally text area use multiple values And also you can pick override. So this is one of the The main feature In key module, you can override the config of any key for an example Say you have you are doing a custom module and you are creating a separate username password area in that custom module and it is storing in the Rupa configuration, but with this key config override feature you can basically Overwrite that configuration and store them in a third party keyboard or somewhere easily, so that's the benefit of that and plus all Or on top of all these you can extend the key module with your own providers key types or key inputs That's the best and what are the extensions available so These are the extensions available at the moment. So locker as I mentioned before you can use alone As well as you can Use it within the key module. So locker is providing an extension to key module and then town sent a km is providing another extension and then As your key vault The module I built it's providing another extension You can use it keyboard the module Alone to use the key vault and get the keys and everything in code But if you need a ui Using the face to handle all these keys in a key vault Then you can use that on top of the key module as well And then asymmetric keys and things like that Yep, and I'll be quickly finish it off and The benefits of the key module These are the benefits. So everything all the keys in your Drupal solution You can just manage it in one location And you can store in configuration environment file as mentioned and third party cloud services and On top of all those config override. Those are the best options we have So thank you. And if you have any questions, I'm happy to answer in our last few minutes of Q&A session. Thank you These are all quick lightning talks to get against So don't have a lot of time to talk Next up is Chris Burgess. Uh, Chris is exciting Excited to be is exciting and he's also excited to be working um in open source software Sharing knowledge and and still learning after 20 plus years in open source 15 of these are in in the Drupal community. He's a senior developer with catalyst it Take it away chris Um, I'll turn it up to 1.5 times. Okay. Um, I'm a developer with catalyst I live deep south in beautiful Otipote And I'm really excited about building Drupal projects in our community I'm Zerizem on most places online except for my Drupal get handle because of CVS transfer Um, so We like components. Uh, Drupal projects can be complicated staying on top of updates as a requirement for system and data security Understanding our project happens at lots of different levels from the forest to the weeds Um, we like components because we can build complex things. It means understanding the components we're using and Most agencies most organizations have a bunch of projects with a bunch of pro components in them So there's lots of advantages to understanding this but security is one of the biggest So years and years and years ago catalyst announced our comedies at a Drupal south like this one quite different actually Um, and then we turned that into Matahara and today we're looking at other ways to review how we're using all these components um Composition analysis is a tool which lets us understand what all those pieces in the pie are For a Drupal project you can have hundreds or thousands of packages in your dependency tree Especially once you consider that you've got other packaging systems in place such as npm for the theme or front end You've got frameworks and containers in the operating system and possibly firmware. I don't know what you're building So what are we running? What else is running these same things that we're using in different projects and how can we consolidate those and reduce The number of things that we need to think about What vulnerabilities do we need to care about and also what license considerations do we have for different projects? Licenses do matter and depending on what you're building they can have a really big impact on what you're able to do or what you're able to use dependency track is an OWASP project that Provides software composition analysis and I've been looking at it to see whether it fits the bill for what we want to do um currently version 436 to java application You can run it up in um docker to give it a spin I ran a demo copy up on catalyst crowd catalyst cloud. Yay nice and easy and Yeah, I had a bit of a play with it But we've been using it as a prototype as well for some real world projects. No real world data today though So how it works is you take your composer dot lock or your composer dot Composer lock and jason your package lock From node maybe your gem file dot lock from ruby Um, all of those different software systems have locking mechanisms that allow a build to record what's in it and we can take that and turn that into a bill of materials, which is a common format um a bom bill of materials bomb Um, that allows us to communicate with you know interoperate between systems about what went into that build Um, so you can pull it out from your ci or you can manually upload it and extract it You can also combine bill of materials between packaging systems together To comprehend all of the different packages that have gone into building a single project So you want to aim for automated inbound data, but you can test it out with manual manual imports and manual compiles Um, you can import that into dependency track Which will analyze and extract the metadata the versions the licenses And it will also haul and uh vulnerability databases that it can match your components against So it sources that vulnerability intelligence externally you can retrieve from public and licensed systems so you can Pull in from some of the more expensive or um, yeah restricted databases You can configure dependency track to apply your organizational rules over the top of this so Tell me about unlicensed components that exist in this project. And what does it mean for us? If we're pulling in something that doesn't have a license applied at all Um, send me a report on slack teams, whatever When something comes up with a vulnerability and which projects are affected So what do you get out of the box? This is the front dashboard of dependency track You get a snazzy dashboard that will report on all the scary things for you Um, this is the same dashboard bit bigger. Um, this is the project's view Um, so we're looking here at a particular project project one at version naught naught one Um, it's a composer droopland npm project and we can see that we've got some vulnerabilities identified And we've got Yeah, some audit audit notifications coming up as well We can dive in and explore the components that make up this project. You can see here that there is a Medium or high level warning on one of the three versions of acorn that node has managed to pull in I don't understand how it got three versions. Hey, um You can review your vulnerabilities in more depth such as this handful of multi-medium spicy npm bones Um, and you can look at policy violations So here's a list of all the components that didn't have a license and it's telling us go sort that out um What does this mean for us? So it means that we can have early advisory of vulnerabilities and not just from the Drupal components Which is what you can get from Drupal at the moment um Drush. Yeah, anyway, there's there's some drush commands, which will help with that too. We'll talk about those in a moment. Um Yeah, okay, cool interesting. I've got the wrong notes here I'm confused. Um, let's talk about that. So we get consistent assessments across projects. We get our Um a reference for developers so that they can look at the other components that we're already using in different builds Which may help you as an agency if you want to avoid Divergent spread of components being hauled into new projects and give people Visibility on what the other approach is that the same company or organization has been up to Um gives you an additional review step that you confirm up your processes around selecting components Um, and it gives you automated analysis over time So not just when the changes are applied, but also ever vulnerability drops on one of those packages That you're using you can find out about it quicksmart right, so What else is out there? In your ci pipelines, you might be using things like composer outdated or drush pm security To identify known outdated components in that space and you could be using npm audit alongside that There are also paid services such as tide lift which Offers additional support. They will help you curate your packages and tune for the appropriate licenses for your systems And they'll go off and do the work of identifying when there's a missing license in a package, which can be really useful they are a paid service and They are really engaged in supporting maintainers by contributing back the paid service Income to maintainers of projects. So they're really interesting to check out. I'm quite Impressed with what they're doing. They're doing cool stuff around funding open source, and I like that Um, and there's probably some other things too. So I don't have a poll But I would love to hear what other people are using to fill the same knowledge gaps or informational awareness In their organizations Looks like that's it. I've got a minute and a half left. Um, yeah, say hi thumbs irisman everywhere Most everywhere and that's me. Someone else can have a minute and a half go Take me off screen Okay, so We are very tight for time. We won't have time at the end of Q&A, but please join us in Drupal Slack for any follow-up questions Look forward to that. Um, so finally the last lightning talk of this session is steve kuchen On security considerations for Drupal programming Steve has a strong background as a developer with over 20 years industry experience is working with company startups and profits of all sizes And steve is currently a developer advocate at snick so yes, steve I've been developing Apps for a number of years now through digital agencies even through at being a Developer advocate or developer evangelist through a whole bunch of companies doing all sorts of fun things from e-commerce to one of my favorites iot can always integrate iot into anything. It's great. Anyway, I've been Built out a number of applications over the years and well using something like Drupal for example I've always loved because well, it's got so many great features straight out of the box That are really easy and quick to deploy Even going back to my digital agency days like building out applications Application sites campaign sites whatever as part of digital agency experiences has always been super quick and super easy but something i've always pondered as part of my What I like to think of as my developer origin story Is just what nasty what things are lurking inside the platforms that i'm deploying Now particularly when you think libraries and dependencies with the likes of composer etc When you're deploying stuff There's usually a whole bunch of dependencies that get pulled in as part of library support Or as part of different frameworks and indeed there's been times where like I've had to go back and clean something up because There's all sorts of nasty pop-ups and whatnot appearing on sites and even some of the code that I've used in the past For various projects, which I mean at 2 a.m. It seems like a good idea at the time Next minute. Yeah, you've got a compromise to help So I thought we'd go through some of the ways to make to help secure coding And I've given that Drupal is built on php. I thought we'd go over some common php ones first Now some of these you probably already know it's probably just a good reminder if anything if you do If you aren't aware of some of the security nuances to some of this stuff then hey um These four in particular are ones that I've always been extremely wary of with good reason and I mean it's common sense is exe for example in um ex exec in php for example Gives your code or gives php access to your core operating system So this is definitely one. Well, you want to use very sparingly if at all Which is generally how I've always approached any of these four Functions before any of these four base language php routines before Is anytime that I've considered using any one of these the first thing I ask is why do I need this and Is there another way? And rightly so as I'm sure you can imagine by giving code direct access to your operating environment Not a great idea There's all sorts of dragons that can be hiding inside that so ultimately investigate if you need to use any of these and I mean you can use things like cron for example to try and run batch jobs or sanitize Image manipulation for example That's potentially one of the things I've looked at using this sort of stuff for in the past anyway Use these ones extremely sparingly So something we've seen in recent years is with some of the sanitization functions like strip tags or even the conversion stuff like mb string to lower Strip tags only filters html so javascript and sql are Completely valid in its eyes, which as you can imagine there be dragons html entities for example is a good option It won't sanitize completely but you can use definable utf character sets mb string to lower it basically Can raise a whole bunch of out of bounds by utf character sets, which is why it's definitely one to avoid Preg replace is always a good way to particularly with sanitization or conversion Is a good way to transform or sanitize strings? If you need to but I mean one of my favorites to use lately in base php is filter bar Which is you know kind of the standard at the moment and you can actually add to this as well using filter flags strip high That is a whole bunch of really nice filters that you can use as part of the input output with the filter bar option so definitely one to look at What i'm going to really really really emphasize on here And we're going to talk about this one in a moment when we switch over to dripple secure coding is Unserialize yes, not only is it grammatically Incorrect, I think I can that was a good combination of word each to use but also Extremely extremely insecure and I can't stress this one enough because serialize Actually, isn't too bad there. I said it Unserialize is kind of the the bad of the worst of the the bad of the two the worst of two Because you can in serialize you can actually store functions as part of like a serialized variable set You can actually store a function which can then be pulled back out and well executed on your system as part of like a remote code execution so Unserialize is extremely bad so much so there is a whole big warning inside The php documentation for it which is one of the reasons many reasons why you shouldn't use it But also the core developers themselves from the core php team actually won't consider Any vulnerabilities or bugs raised against unserialized now as being A security issue because it's so unsafe and you shouldn't use it I kind of wish it would get taken out, but anyway, if you weren't already Aware of why you shouldn't use it is literally because A remote attacker can use this particular function potentially depending how you're Storing your variables how you're storing your data sets or user data inside serialize and unserialize They can use that to basically run remote code on your server, which I mean nobody wants that This one actually is so bad too that the Drupal security team have had issues with it in the past and shout out to the Drupal security team They do amazing work and are extremely reactive in Keeping up to date with any CVEs or security instances that are raised and very quick to patch things. So yeah Of the Drupal security team Incidentally, if you're not already subscribed to The alerts that they put out I would highly recommend to do so because Ultimately these apps that you build and support To keep you using safe. So please keep you using safe On to now that we've gone through some of the PHP stuff on to Drupal secure or coding So of course with twig templates anything between double curly brace is sanitized It does get sanitized and as devs we always Sanitize everything sometimes multiple times just to make sure because you can never be too short, right? Some ways to do some really nice sanitization so There's a couple there on the screen. You're probably already familiar with some of these. So html escape That just outputs plain text xss filter strips html tags out and xss filter admin It basically allows html only for admin users if you need to do so I'm Drupal eval. I'm just going to mention it here It I'm pretty sure it's not in Drupal 8 or 9. Actually, I know it's not in Drupal 8 or 9 But Drupal 7 does still have it. So if you haven't yet upgraded to 8 or 9 Which I know you're totally going to because it's almost out of support or everyone's being encouraged, of course to upgrade and you should totally upgrade But this is based on php Exe and eval and all those nasty dragon things that we were talking about a moment ago So please upgrade as soon as you can Some other things to remember particularly around the database storage side of things When storing data the database layer works on top of the phppdo and uses an array named placeholders of course To make sure always make sure that you correctly sanitize user input But of course you already know that because I just did two slides telling you why that you should sanitize and every Like everyone should know it anyway Sanitize sanitize There's a actually a really good speaking of sanitization There's actually a really good write up on why you shouldn't trust form input variables and it goes back to our Our old friend uncerealize There's also some decode entries in Drupal 7 as well that you should Take a look at but check out the Drupal docs on security and sanitization because there's some really good write-ups on there as well Um, just be aware of check plane. There's a couple articles on this actually, but check plane Uses client browser to provide additional or temporary sanitization Um, we've seen from the security side of things. We've seen some incidents involving browser side Sanitization Recently, so just be careful using that again. I would treat anything that you're Um, potentially concerned about on the security side of things lightly and Remember to just always make sure you're pen testing stuff and testing things where you can as well Ultimately, think like a hacker if you can get around it. They can get around it. So always I always love taking that approach I'm going to do a quick talk on a quick mention on containers because I know that's a big thing at the moment too, which Um, essentially a lot of the top 10 Well, a lot of the docker based images that we find these days on docker hub Basically contain a whole bunch of vulnerabilities in them based on You know open source like library components that we know have open vulnerabilities currently in them as well So always make sure that you're checking and scanning your container types The way I like to think about this is with great containerization comes great responsibility. I always love that that meme No, this also goes back to making sure you keep those end users safe because ultimately that's who we are building these apps for We need to protect their data need to protect their experience A good example of that and this is the druple based image on docker hub as you can see as over 100 million downloads to date, which is amazing Um, but again, like make sure you're scanning doing some base scanning on those images to make sure If there's any open source components in there that need to be upgraded That you're getting those upgraded because again users need to keep them safe That's about all I've got time for so just lastly Please always use your tech superpowers for good and be excellent to each other. Thank you very much Everybody so we've run over by a couple of minutes, but I'll surely agree They're all great talks and we managed to um to crab them all in so yeah, enjoy the rest of your Your uh druple self