DrupalConParis2009 - security

Secure your Drupal installation with SSL

sanduhrs — Wed, 08 Jul 2009 15:04:22 +0000

Drupal is the perfect match when it comes to collaboration and communication in teams. As it is easy to setup and flexible to use, an intranet setup for companies or a setup for closed groups of people is easy to realize.

However, stealing your login credentials or your session from a public network is trivial, securing your confidential information a must.

Speaker bio:

Stefan is co-founder of and senior developer at erdfisch. In his four years of professional experience with Drupal, he realized several smaller and larger projects and is totally convinced of it's capabilities. He is interested in Open source at large, believing it is the future of information technology and in e-learning and data privacy in particular. Other presenters may be added.

Keep your code safe - Tips from the security team

heine — Tue, 07 Jul 2009 19:48:14 +0000

This session is aimed at the typical Drupal developer.

The session starts with a short overview of the most common security issues, their consequences and how you can use the Drupal API to prevent them. The second half of the talk is devoted to string handling as the most prevalent vulnerability, Cross site scripting (XSS), happens when you get it wrong. You should leave the session with a clear understanding of when to use filter_xss, check_plain, check_url & check_markup.

Speaker bio:

Heine Deelstra has been a member of the Drupal security team since 2006 and is its current Technical Lead. Other presenters may be added.

Keeping Your Site Safe - Tips From the Security Team

greggles — Mon, 06 Jul 2009 23:22:44 +0000

This session is aimed at the typical Drupal site admin and will not include developer/themer topics.

Why you should be concerned - what are the threats and how bad are they?
What are the most common configuration mistakes that make sites weak?
Best practices for modules to add to the security of your site
Protecting privacy of your users data
How does the Drupal security team work?

Speaker bio:

Greg Knaddison has been a member of the Drupal security team since 2007. In 2009 he published the book Cracking Drupal which is a guide for how to keep your site secure (of course, that also makes it a guide for how to break into a site...). Ben (coltrane) Jeavons recently joined the security team after learning about the Drupal security team through presentations at past Drupal events. Now he gets to make the presentation. Heine Deelstra is the Technical Lead of the Drupal security team. Matt Cheney is a master of dramatic interpretation and will amaze and astound you with the ways your site can be cracked if you don't follow some simple steps.

Co presenters:

coltrane

heine

populist

How to Hack a Drupal Site

mtapman — Wed, 10 Jun 2009 01:27:01 +0000

Hacking is more of an art than a science and this working demonstration will give the audience a chance to get their hands dirty. Drupal's security model tends to focus on technical security and this leaves some key holes in the security model. We'll take an opportunity to show some of these problems, give the audience a chance to work through the problems on a demonstration Drupal site (install distributed to everyone prior to the session), and finally we'll work through some possible solutions to the problems we identify.

Speaker bio:

I am an information security professional with experience working on penetration tests, vulnerability scans, and designing secure solutions for the financial industry, defense and intelligence community, and federal government of the United States. Over the last several years I've provided configuration advice on a wide variety of software solutions ranging from content management systems to mainframe systems to wireless installations. I've also spoken at InfoSecurity Europe in London, at conferences in Denmark, Sweden, and Norway, and contributed to a book on federal information security standards. I am currently working on building a small information security consulting practice after leaving Fortune 500 company where I was the director of the financial services information security practice area. In my spare time I play Ultimate frisbee, mess around with cool technology, and travel to out of the way places where I won't run into too many tourists.

Hack-proof Your Drupal App

ebeyrent — Tue, 09 Jun 2009 18:06:04 +0000

Abstract:

What you don’t know can hurt you. Analysts estimate that 75% of attacks against web servers enter at the application, not the network level. As many as 15% of these attacks are due to poor coding practices. We'll discuss ways to secure your Drupal application.

Agenda:

See For Yourself - demonstrations of application attacks
Case Study: Secrets to Securing a Social Network
Key Habits of Secure Drupal Coding
Vulnerability Detection, Remediation, and Mitigation

Speaker bio:

Erich has 12 years experience in web technologies, specializing in open-source solutions and application integration. He is currently the Vice President of Engineering at CommonPlaces e-Solutions, LLC, and led the team that built Greenopolis.com, an environmentally-themed social networking and education site. Erich also led the team that built Twolia.com, a social networking and e-commerce platform for independent female artists that mimics Facebook, Etsy.com, MySpace, and YouTube. Erich is the author of the Permissions API module, and maintains the Drupal 6 version of the Signup Restrict By Role module. Erich lives in New Hampshire with his wife, two sons, and two weimaraners.