Defense in Depth: Lessons learned securing 100,000 Drupal Sites

Heartbleed, Shell Shock, POODLE, Drupalgeddon and Ghost. How is it possible to secure my website in the face of the hackzor onslaught?

Every bit of software in your stack composes compromisable surface area, so you have to think about security from the OS to the JS, and beyond. When securing your website, you need to think breadth as well as depth; there’s no use in having 3 deadbolts a pit bull and a portcullis on your front door while leaving your porch door unlocked.

We’ll start at the 10,000’ level, reviewing the risks and drivers of website security, then zoom in for a birds-eye view of security best practices, and finally deep-dive on a few of the most effective attack mitigation strategies.

Topics we will cover:

What security means for your business: compliance and risk management
The security triad: Confidentiality, Integrity, and Availability
OWASP Top 10
Evaluating hosting options based on security
Securing your operating system
Configuring Nginx and Apache for security
Understanding ‘contrib’ module security
Configuring Drupal for Security
How to address DOS with a CDN (a battle of 3 letter acronyms)
Data encryption
Key Management (Don’t tape your key to the front door)
PII - What is it and why does it matter?
Securing your users: Password security and best practices
Real world scenarios

This will be the follow up to the session at Drupalcon Los Angeles and Barcelona

https://2015.badcamp.net/session/defense-depth-lessons-learned-securing-100000-drupal-sites

Drupal is a registered trademark of Dries Buytaert.