peeling back the onion: drupal security and compliance · the three year ato cycle is transforming...
TRANSCRIPT
![Page 1: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/1.jpg)
Peeling Back the Onion: Drupal Security and Compliance
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 2: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/2.jpg)
Who are we...
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 3: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/3.jpg)
CivicActions is …
Open Agile Transparent
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 4: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/4.jpg)
What is security?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 5: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/5.jpg)
Problem of Security
WHAT ARE THE GOALS OF SECURITY?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 6: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/6.jpg)
Security Objective: Practical, preventative
measures for mitigating risk
WHAT ARE THE GOALS OF SECURITY?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 7: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/7.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Goals of Security
Image courtesy of the book: Information Security Principles of Success Breithaupt and Merkow, 2014
Information Assurance
![Page 8: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/8.jpg)
The practice changes for each system and need
WHAT ARE THE GOALS OF SECURITY?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 9: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/9.jpg)
Let’s evaluate some guiding principles to achieve the
outlined goals
WHAT ARE THE GOALS OF SECURITY?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 10: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/10.jpg)
1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Security Principles
![Page 11: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/11.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Security Principles 1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation
![Page 12: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/12.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Security Principles 1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation
![Page 13: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/13.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Security Principles 1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation
![Page 14: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/14.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Security Principles 1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation
![Page 15: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/15.jpg)
Be proactive and test your security practices
WHAT ARE THE GOALS OF SECURITY?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 16: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/16.jpg)
Why Compliance?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 17: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/17.jpg)
Compliance is not just a good idea,
it’s the law
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 18: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/18.jpg)
Compliance is not just a good idea,
it’s the law
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
X
![Page 19: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/19.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
When you’re told that the new system has to be compliant
![Page 20: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/20.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
Continuous Monitoring is to be implemented by 2017 per OMB M-14-03.
See also: CDM from DHS and GSA.
The Risk Management Framework
![Page 21: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/21.jpg)
Control Types
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
● Administrative ○ Guidelines, procedures (Security Policy)
● Technical ○ Intrusion detection systems, ACLs (Least Privilege)
● Physical ○ Physical (USB, media) access (Separation of Duties)
![Page 22: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/22.jpg)
Practical Benefits of Compliance
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
● Scanning regularly (CVEs, STIGs, …) ● Keeping LAMP stack up-to-date ● Keeping Drupal up-to-date ● Reviewing logs ● Managing Access Control ● Incident Response Training ● Bastion SSH host and CDN
![Page 23: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/23.jpg)
Compliance does not mean Security
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 24: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/24.jpg)
Compliance controls provide guidance, but they do not prescribe security practices.
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
How are they related?
![Page 25: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/25.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 26: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/26.jpg)
The Onion
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 27: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/27.jpg)
1. Network - Ports, VPC, Monitor 2. Infrastructure - Instance OS, CDN, SSH
proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD,
JavaScript 4. Data - MySQL, Shared Filesystem
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 28: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/28.jpg)
1. Network - Ports, VPC, Monitor 2. Infrastructure - Instance OS, CDN, SSH
proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD, JavaScript 4. Data - MySQL, Shared Filesystem
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 29: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/29.jpg)
1. Network - Ports, VPC, Monitor 2. Infrastructure - Instance OS, CDN, SSH
proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD, JavaScript 4. Data - MySQL, Shared Filesystem
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 30: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/30.jpg)
1. Network - Ports, VPC, Monitor 2. Infrastructure - Instance OS, CDN, SSH
proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD,
JavaScript 4. Data - MySQL, Shared Filesystem
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 31: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/31.jpg)
Look at each tier of the system to map controls to
security practices
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 32: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/32.jpg)
Making the onion tasty
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 33: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/33.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
What are the most common compliance controls you need to be aware of?
![Page 34: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/34.jpg)
Typical Controls
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
● AC: Access Control ● IA: Identification and Authentication ● AU: Audit & Accountability ● CM: Configuration Management ● RA: Risk Assessment
![Page 35: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/35.jpg)
The 18 RMF (Risk Management Framework) “Control Families”
Defined in NIST SP 800-37 Rev 4
![Page 36: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/36.jpg)
COMPLIANCE DOES NOT MEAN SECURITY
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
What is an example?
![Page 37: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/37.jpg)
AC: Access Control
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
● AC-2 Account Management ● AC-2(5) Inactivity Logout ● AC-5 Separation of Duties ● AC-6 Least Privilege ● IA-5 Authenticator Management
![Page 38: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/38.jpg)
AC: Drupal Solutions
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
● Roles and Perms ● Autologout ● Password Policy ● TFA / SimpleSAMLPHP ● * Permissions (Field Permissions,
Taxonomy Access Control, etc)
![Page 39: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/39.jpg)
Handout
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
We have a handout that outlines additional security and compliance
recommendations
![Page 40: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/40.jpg)
Current Challenges
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 41: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/41.jpg)
1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your
system)
CURRENT CHALLENGES
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 42: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/42.jpg)
1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your
system)
CURRENT CHALLENGES
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 43: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/43.jpg)
1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your
system)
CURRENT CHALLENGES
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 44: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/44.jpg)
1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your
system)
CURRENT CHALLENGES
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 45: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/45.jpg)
1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your
system)
CURRENT CHALLENGES
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 46: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/46.jpg)
Fun Stuff
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 47: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/47.jpg)
Where do we see security and compliance going?
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 48: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/48.jpg)
Innovation at every tier of the onion
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 49: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/49.jpg)
The three year ATO cycle is transforming into
continuous assurance
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 50: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/50.jpg)
Compliance is pushing more into DevOps
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 51: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/51.jpg)
Build small, discrete components and automate
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 52: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/52.jpg)
Intrusion Detection Isolate Threats
Minimize Damage
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 53: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/53.jpg)
System predicts 85 percent of cyber-attacks using input from human experts Virtual artificial intelligence analyst developed by the Computer Science and Artificial Intelligence Lab and PatternEx reduces false positives by factor of 5. http://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using-input-human-experts-0418
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
Artificial Intelligence: The Next Frontier
![Page 54: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/54.jpg)
Examples
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 55: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/55.jpg)
OpenSCAP is free and open source, automated security scanning for operating systems* and selected applications.
*only Red Hat 6 & 7 for now, but can be extended
![Page 56: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/56.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 57: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/57.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 58: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/58.jpg)
The GovReady Dashboard puts compliance info in a Drupal report.
*Alpha - Not yet ready for production, but interesting work.
![Page 59: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/59.jpg)
Call To Action
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
![Page 60: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/60.jpg)
We need to define best practices and build the tools
to support it
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 61: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/61.jpg)
Open Concept’s Guide: Drupal Security Best
Practices
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 62: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/62.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
![Page 63: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/63.jpg)
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS
COMPLIANCE DOES NOT MEAN SECURITY
Drupal 8 Security Review New Plugin System Code Sprint
![Page 64: Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming into continuous assurance ... Drupal GovCon 2016 | Drupal Security and Compliance](https://reader033.vdocuments.us/reader033/viewer/2022052802/5f1ab8b767074a0dd515cc96/html5/thumbnails/64.jpg)
Thank you.
Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS