Web site insecurity - How your CMS site will get hacked and how to prevent it.
Public facing web sites are constantly under attack and keeping websites protected is an arms race. The news regularly carries stories of high profile data breaches and online security incidents. Many of these attacks have common characteristics and fortunately there are established counter measures and best practices that are simple to implement and effective in mitigating against common threats.
Security rarely gets a look-in at specification and budget allocation stages of delivering a web site or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project. So either some poor sucker is having sleepless nights, it is considered to be the domain of the hosting company or everyone on the project has their head in the sand.
Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance.
In this session I will cover:
- Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
- An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
The presentation is aimed at all levels of Drupal knowledge and anyone responsible for any stage in the delivery of information over the web; regardless of whether they are the client, project manager, developer or content editor.
Attendees do not require specialist knowledge and will get an insight into how 'hackers' operate, how frequently attempts are made, the various modes of attacking CMS sites, review some real world examples and see how counter measures can be put in place.
Attendees will take home:
- that malicious attacks are a fact of live and can't be ignored,
- that security is not a 'one-off' but an ongoing responsibility,
- that security best practices shouldn't be intimidating and are readily achievable.
and hopefully will be inspired to initiate measures such as robust intrusion prevention measures and Content Security Policies for websites they manage.