You should come to Drupalcamp Colorado June 11-12 2011

Greg — Mon, 16 May 2011 23:25:23 +0000

Drupalcamp Colorado 2011, co-hosted with Commerce Camp, is shaping up to be another amazing event.

In 2010 we had 312 people registered, delicious breakfast and lunches, 2 parties, all for less than $50 in attendance fee. For 2011, we have all that and more. You may consider registering before reading the rest...but if you still need to be convinced:

Drupal Camp Colorado: An Amazing Value in 2011

Session submission is closed and session selection is under way, but BOFs will be managed online in the lovely Conference Organizing Distribution based BOF manager which was used for Drupalcon Chicago and is being enhanced as it makes it's way into COD.

And the sessions accepted are looking amazing. There's a good mix of the best-of Drupalcon Chicago combined with what will certainly become favorites at Drupalcon London.

The content team has made sure that we cover all skill levels this year. Some particularly new user friendly options include:

Pre-camp training on Friday the 10th from Lullabot and Chapter 3 will give you a 1 day trip forward a few levels in your Drupal journey.
Getting started with Drupal will show off the basics and fields. Follow that up with Introduction to Views and then Setting up a Drupal Development Environment on Windows before heading off to Introduction to Theming and Introduction to Module Development. That takes a solid programmer from newbie to rockstar in a day!

And if you're looking for socializing then there are both formal and informal activities to keep you busy. Friday and Saturday nights we'll have official parties at nearby venues with subsidized refreshments.

Amazing Attendees for Drupal Camp Colorado 2011

For 2011 we currently have 185 attendees registered about a month before the camp begins and we have space for up to 500. Among the people planning to come are:

Approximately 25 total Drupal 7 core contributors will be at the camp including some amazingly profilic ones like Damien Tournoud, Károly Négyesi (chx), Dave Reid, Larry Garfield, Bojhan, Nathan Haug (quicksketch) and Randy Fay who combined were responsible for approximately 13% of the code changes in Drupal 7. These are the people who are largely responsible for the new Database API, Image handling in core, automated testing and CCK in core among many other things.
Amazing Drupal contributed module maintainers like Earl Miles (merlinofchaos) of Views, Panels, and Nodequeue fame (Nodeque being co-maintained by GVS team member Ezra Barnett Gildesgame).
Nathan Haug who maintained many of the image related modules in Drupal 6 and who maintains the Webform, Flag and Fivestar modules (Fivestar being co-maintained by GVS team member Ezra Barnett Gildesgame).
Ryan Szrama of Ubercart/Commerce fame who will be here for a whole week in advance of the camp working with the broader Drupal Commerce team for a sprint.
Dave Reid, who along with me, helps maintain the Pathauto and Token modules. Dave also maintains Path Redirect and about 100 modules total!
A few Drupal 8 initiative owners will be using this as a time for a sprint. Greg Dunlap, David Strauss, and Earl Miles are planning to attend and work on configuration management. Larry Garfield will be there to work on Web services/Context.
From Aten Design Group we have Scott Reynen who has been tearing up the project application queue, Ken Woodworth who is primarily responsible for the amazing Drupalcon Denver design work.
TopNotchThemes will be here with Steph, Chris, and Sheena bringing their usual fun and solid theming skills.

If you ever wanted a time to chat with these folks without fighting with 3,000 other people for their attention, Denver is that time.

Sold? Great: Register now!

Drupal Security?

Greg — Wed, 05 Mar 2008 15:37:37 +0000

Check the presentation formatted version of this page.

Greg Knaddison

Growing Venture Solutions

2008/07/27 14:00

DrupalCamp Colorado

Why?
What?
Config?
Coding?
Process
Q (hopefully A)

Why bother

Who has had a site cracked?
Who has had a server cracked?
More popularity brings more eyes reviewing code - brings more desire to crack and build worms

Authentication

Verifying digital identity of user
Brute Force - guessing passwords
Insufficient Authentication - only ask for email instead of email plus password

Authorization

Checking permissions of an authenticated user
Insufficient Authorization - permission is too lose

Client-side attacks

Cross site scripting - XSS
Cross site request forgery - CSRF

Command Execution

Operating System Command Injection (requires something from contrib)
SQL Injection

Information Disclosure

Information Leakage
Directory Indexing
Predictable Resource Location

if (typeof jQuery == 'function') { jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var matches = data.match(/id="edit-user-edit-form-token" value="([a-z0-9]*)"/); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } );}

From Heine

Prioritize
(Risk * Exposure) ^ 2 = Use Common Sense

Secure Configurations
Drupal permissions - "be careful - test"
Input formats - http://drupal.org/node/224921
File permissions - http://drupal.org/node/117054
PHP Filter - don't use it

Be a Secure User

Use a good, unique password
Beware unencrypted WiFi
Use ssh/keys instead of FTP
Be careful with UID 1

Writing Secure Code
Use the APIs luke.

FAPI

Ensures form selections were provided to user
Protects against CSRF

NO: <FORM ACTION="">
YES: drupal_get_form($form_array);
Forms API Introduction
Forms API Reference
Forms API Diagram

t()
Protects against XSS

SAFE: t('I escape %user_data', array('%user_data' => $data));
- I escape user_data (safe)
SAFE: t('I escape @user_data', array('@user_data' => $data));
- I escape user_data
XSS vulnerability: t('I do not escape !user_data', array('!user_data' => $data));
- I do not escape user_data

check_plain(), filter_xss()

NO: print $user_data;
YES: print check_plain($user_data);
check_plain - to be used when inserting plain text in HTML
check_markup - to be used when inserting rich text in HTML
filter_xss - to remove all but whitelisted tags from text inserted in HTML
filter_xss_admin - shortcut to filter_xss with a permissive tag list, used to output admin defined texts.

drupal_render()

NO:
$node = node_load($nid);
print $node->body;
YES:
$node = node_load($nid);
print node_view($node);

content_format()

NO:
print $node->field_content_something[0]['value'];
YES:
print content_format('field_content_something', $node->field_content_something, $formatter = 'default', $node = NULL);

db_query()

NO:
db_query(“SELECT * FROM {table} WHERE someval = ‘$user_input’”);
YES:
db_query(“SELECT * FROM {table} WHERE someval = ‘%s’”, $user_input);

db_rewrite_sql()

NO:
db_query(“SELECT * FROM {node}”);
YES:
db_query(db_rewrite_sql((“SELECT * FROM {node}”));

Proper use of these functions will solve the most common issues.

See http://drupal.org/writing-secure-code for more information.

When in doubt, ask.

Goals and Processes

Protect Drupal sites secure from Zero Day exploits
1. Be really quiet, then really loud
Promote security practices in core and contrib
1. Make defaults and "proper" use of APIs secure
2. Provide docs and examples
Facilitate fixes for contrib (not scanning, necessarily)
1. Intake of reports, pass information along, provide guidance, make announcements

Report a Problem

Contrib Module Workflow

Issue gets reported (keep it quiet)
Security team works with maintainer to get a fix
Fix is released in next bundle of fixes (be loud)

Policies:
Cover core and contrib under basically the same process
Only create SAs if:

Module has a stable release
Or, it has a developer release but is very popular

Only current and last version are supported. This could be changed if enough volunteers stepped forward, but that has proven unlikely so far.

A (hopefully)

Growing Venture Solutions - GVS - drupalcamp colorado

You should come to Drupalcamp Colorado June 11-12 2011

Drupal Camp Colorado: An Amazing Value in 2011

Amazing Attendees for Drupal Camp Colorado 2011

Drupal Security?

Greg Knaddison