Why counting vulnerabilities is not a sufficient method of comparing product security

A lot of people find themselves in the position of trying to figure out which software package is the most secure, or at least more secure between a field of choices. They often try to do this by comparing the number of vulnerabilities in the two packages, going to vulnerability databases like MITRE-CVE or NIST-NVD.

However, consider this example timeline of vulnerability disclosure from a sample issue on full disclosure


2013.05.11 Vulnerability reported to the vendor

Notes from Linux Security Tunables by Kees Cook

I recently attended Drupalcon Portland where I attended Kees Cook's session on Linux System Security Tunables. He had some great general security advice before the session began. You can watch the video on the Drupalcon site and read the slides there. Here are my notes from the session.

Authentication hygiene (e.g. ssh keys)

  • know where your credentials live
  • keep away from devices with remote access
  • store encrypted, tied to a specific device - if you lose control of that device, revoke those keys

Using XSS to steal access

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

  • An attacker will enter Javascript that steals the visitor's browser cookie
  • An administrator will unknowingly execute this Javascript

Drupalcon Training: Securing your Drupal site with code and configuration

First things first, please take this survey about Security in Drupal.

Much like at last year's Drupalcon in San Francisco, Ben Jeavons and I will be giving a training about Drupal and Security. When we gave this course at Drupalcon San Francisco, 88% of survey respondents said they would take the class again! We took all the feedback from last time and are working to make the experience even better.

Syndicate content