Autopsy of Vulnerabilities
On March 28th, a security update was published to mitigate a critical vulnerability on all Drupal versions. D8, D7, D6, even D5! received patches, so our sites are secured against the threat.
On October 15th, 2014, Drupal core version 7.32 was published including a patch for a critical SQL injection vulnerability which allowed an anonymous user to access directly to site database. Every site not patched within the 7 hours after the public announcement was considered as hacked.
This kind of announcements are common, and best practices strongly recommend paying attention to security bulletins of all components included on our project. Every time a patch is published, we run to apply it and feel "safe" until the next vulnerability is announced, but... what are we applying to our code? How does the "vaccine" work to prevent our website from being attacked? And the attack, what kind of magic ritual is done by hackers to access the internals of our project?
The goal of this session is to explore some common vulnerabilities in the Drupal and PHP world, explaining how the most frequent attacks work, as well as the countermeasures and patches used to reduce the risk. The target public is people with Drupal and PHP coding skills, and they will understand how hacking techniques work against their code once deployed to production, so they can learn to prevent potential attacks and feel more (in)secure.
About the speaker
My name is Ezequiel "Zequi" Vázquez, and I am developer at Lullabot. I am specialized on PHP and Drupal backend development, with strong background on DevOps, interested in high performance websites and with big passion for IT security. I have been speaker twice on DrupalCon Europe, once on past year's Drupal Developer Days and five times on DrupalCamp Spain, plus I frequently collaborate with local universities and meet-ups to speak about Drupal and IT security.