security

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

• Firewalls are not aware of the xml content
• Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
• WSDL exposes the schema and message structure
• Injection attacks are possible via the XML parameters
• Data replay is still possible
• Denial of service is still possible, especially with parameters

This was a presentation by Jon Rose and Tom Leavey of Trustwave. They started off with about 15 minutes worth of cloud background. The problems (and potential problems) they identified were:

• Vendor lock in may come up since the Amazon cloud is somewhat different from writing for Google's App Engine which is different from...
• Enterprise ready vs. experimental, meaning that most uses of the cloud right now are non-mission-critical.
• Forensics in the cloud are somewhat harder to perform since you can't necessarily get the log files.

At the Bay Area Drupal Camp yesterday I presented on Drupal Security for site administrators and beginners which covered some of the important ways you can protect your site from attacks through configuration of Drupal core. Attached are the slides from the presentation.

This past Thursday several hundred folks joined me for a webinar about security in Drupal as part of the Acquia webinar series.

You can now download the Security in Drupal introduction slides which include the speaker's notes and watch the screencast itself:

This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.

I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!