Blog

Franz Hartl

Drupal: Defense in Depth

April 14th, 2011

“Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.”

- Linus’ Law[1]

Drupal has arrived. The enterprise level open-source content management system is powering an estimated 7.2 million sites as of July 2010. With well over 3,000 attendees from around the world at last month’s Drupal Conference in Chicago, Drupal is everywhere. For some, the question remains if Drupal is truly secure enough for enterprise. The U.S. Government believes Drupal is secure enough to run Whitehouse.gov and after our experiences, we fully concur that Drupal provides state of the art security.

Skeptics of open-source software believe that because the code is publicly available, it is vulnerable to hackers. They accept the flawed concept that security is achieved through obscurity; that fewer eyes on a project make it less vulnerable. On the contrary, open-source software, like Drupal, is more secure than closed alternatives, because the code is public. With hundreds of thousands of Drupal developers forming a global network of people passionately collaborating to discover bugs and potential vulnerabilities and then subsequently fixing any weakness in code, Drupal is Linus’ Law in action.

The recent newsworthy security breaches highlight why web security is such a growing concern:

An international network of clandestine computer hackers publish the sensitive information of governments and corporations (Wikileaks) by leveraging cloaking software developed by the U.S. Naval Research Laboratory (TOR) to communicate. They release files over a distributed network with no central server (BitTorrent) encrypted under an uncrackable AES 256-bit key.
The online marketer, Epsilon, sends out more than 40 billion email ads and offers each year, typically to users who register with a company’s website, or give their email addresses while shopping online. On April 1, 2011, Epsilon announced that a hacker had gained access to its clients’ customer files, which contain personal information on individual consumers. Epsilon’s clients include Citigroup, Best Buy, Capital One, and JP Morgan.
When Google engineers suspected Chinese government hackers were breaking into private Gmail accounts, Google began a counteroffensive. Google saw evidence of attacks by the Chinese Government agents on over 35 companies including Adobe Systems, Northrop Grumman, and Juniper Networks.
Russian cyber crime organizations are continually operating botnets that are committing crimes involving identity theft, phishing, spam, and malware distribution. The most ominous amongst these criminal syndicates is the “Russian Business Network.”

While these events have been widely discussed in security circles, the cyber attack on the Whitehouse.gov website in July of 2009 elicited much less attention. The reason why? The attack was completely rebuffed by Drupal.

So how does Drupal do it? In addition to harnessing the talents of a large passionate community of developers, Drupal’s embrace of the philosophy of “Defense in Depth”, state of the art authentication and authorization systems, and additional performance enhancements such as Varnish, all contribute to a level of security worthy of leading government and enterprise level corporate organizations.

The philosophy of “Defense in Depth” is a layering tactic conceived by the National Security Agency as a comprehensive approach to securing information and protecting against espionage and cyber-attacks through multiple layers of defense. Drupal’s “Defense in Depth” hinders security breaches and also reduces and mitigates the consequences of an attack if one security feature is breached.

The Drupal Team maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed. Since Drupal’s policy mandates the announcement of each security vulnerability once the fix is released, administrators of Drupal sites are automatically notified of these new releases via the Update Status module. If a Drupal site is hosted with a top-notch hosting provider, these security patches are implemented immediately.

Drupal employs a state of the art system for handling security relationships via authentication and authorization. Authentication (i.e. the way a user proves his or her identity) is ensured through “salting and stretching” of passwords. In cryptography, a salt consists of random bits that are combined with the password using a cryptographic hash function. By repeated hashing the password is stretched. The output of this one-way function can be stored rather than the password, and still be used to authenticate users. For example, the massive password theft security breach that occurred at Gawker Media Inc. was a result of “unsalted passwords.” With Drupal 7, secure “salted and stretched” password storage is a part of every Drupal installation.

Authorization (i.e. the way that permissions and access are granted on Drupal) implements a multi-user environment where users are granted specific privileges with various forms of access control. To gain control over Drupal, or the LAMP stack Drupal is built upon, and cause any serious consequence to the system itself, the attacker would have to gain root access to the system. With Drupal’s API (application programming interface) and default configuration, which are designed to handle issues like Injection, Cross Site Scripting, Session Management, and Cross Site Request Forgeries, a Drupal installation is secure from the very beginning.

In the event of a Disturbed Denial of Services (DDOS) attack, Drupal is defended by Varnish, a reverse proxy program. Varnish’s design enables it to deflect DDOS attacks by leveraging an efficient use of memory, thus preventing an undue strain on Drupal. Varnish is what ensures that your site will not go down when confronted with a large traffic spike.

Finally, Drupal administration procedures and permissions protocols permit registered and anonymous site users to contribute content to the site (subjected to a publishing and editing work flow designed by the website administrators) while prohibiting the hacking of user privileges. This user permission system allows for the creation of user generated content and social media integration (Web 2.0) in a completely secure environment.

Without paying fees, developers can run, study, and modify Drupal. But they don’t just do it because it’s free; they do it because it’s a secure enterprise level solution. Bruce Schneier, an American cryptographer, computer security specialist, and author says it best: “When open-source code is properly analyzed, there’s nothing better.” However, no matter how great the code is, like a chain’s weakest link, a content management system is only as secure as its implementation.

[1] Eric S. Raymond (1999). The Cathedral & the Bazaar. O’Reilly. ISBN 1-56592-724-9.

Tags: Content management system, Drupal, Gmail, open source, Web security

Comments are closed.

May 2012

M T W T F S S

« Apr

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31

May 2012
M	T	W	T	F	S	S
« Apr
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Categories
- Application Development (43)
- Content Management (14)
- Information Architecture (36)
- Insight Article (40)
- Interaction Design (22)
- Internet Strategy (39)
- Marketing (8)
- Mobile (4)
- Project Management (5)
- Social Media (9)
- Social Networking (48)
- Strategy (15)
- Technical (20)
- Technology (56)
- UI Design (4)
- Uncategorized (2)
- Usability (33)
- User Experience Design (59)
- User Research (26)
- UX Design (13)
- Video (11)
- Visual Design (22)
- Web Content Management (31)
- Web Development (58)
- Webinar (13)

Blog

Drupal: Defense in Depth

Categories