Important Learnings about Security from from Drupal HackCamp Bucharest

When I was asked if I would like to speak at Drupal HackCamp in Bucharest, I was very excited. It’s a new trend that Camps that are catered towards one topic. One example is the Decoupled Days, a conference in New York that’s focused on Decoupled Drupal. HackCamp would be the first camp to focus on security, a topic that is incredibly important and constantly changing.

I gave my session the “How open source helps you prevent the next Drupalgeddon.” I had no idea what I’ll be in for. This was before SA-CORE-2018–002 was released, so my topic became even more current than I could have imagined.

Security is a multi-layered and complex subject. When faced with something like this it is not enough to lock down your Drupal site if you don’t have a firm grasp on the infrastructure security as well.

As a hosting company we learned that with things like Drupal Security Issues everything boils down to one variable: time.

Back in 2014 when the SA-CORE-2014–005 came out we had 7 hours to react and patch all sites until the attacks started rolling in. People didn’t have the leisure of spending 7 hours to patch all their sites. If you couldn't patch them all quickly enough the only choice left is mitigate everything via a infrastructure layer like a WAF — or you can get creative. (Read this Blogpost to learn more about how we mitigated SA-CORE-2018–002 for clients)

Technology and the things that threaten it change over time. SA-CORE-2018–002 and SA-CORE-2018–004 looked vastly different. With the new vulnerability we didn’t observe defacements or mass mailings from the hacked websites. Instead we saw an increase of three kinds of attacks:

Injecting Cryptocurrency Mining Javascripts (Frontend)Attempting to start a crypto miner on the server (Servers tend to be pretty powerful and perfect for mining cryptos)Stealing your User-Data

Other Drupal HackCamp Learnings

First of all we had fantastic Keynotes. Preston highlighted the importance of a decentralized web. Xjm shed some light on Drupal Security and especially the responsible disclosure process and how much work goes into keeping Drupal and also other projects secure as there is a lot of cross-project collaboration. And last but not least Jasper Mattson showed us how he found SA-CORE-2018–002 and dug a little bit into the craft of finding security bugs in software.

Can you keep a secret?

Nick Santamaria talked about Secret Sprawl and how to handle secrets in our applications in order to make it as secure as possible to roll them over, have audit logs of the usage of the secrets.

With great power comes great responsibility

Chris from Lockr did an impressive live demo and showed how data within a Drupal Site can be encrypted on the fly with help of external Key Management solutions. Sure enough there were attendees that went into the details of Drupal caching and we found out some nice parts on where data actually is encrypted and where it isn’t.

10 Ways Drupal 8 Is More Secure

Peter Wolanin talked about 10 different ways how Drupal 8 is more secure and highlights every piece of this puzzle. It’s a good primer to see that it security efforts come from many ways into Drupal Core. I included his talk from DrupalCon Vienna for the ones interested.

If you want to read more about the camp best head over to the blogpost from Vasi of Amazee Labs.

I’d like to thank again all organizers, speakers, and sponsors of the event. This was a fantastic event great people, wonderful food, and fun afterparties. I can’t wait to see all of you at next year’s HackCamp!