Calling all CMS users: web security is also your responsibility!

jaesonyoo

In 2015, it was reported that approximately 25% of all websites on the World Wide Web were built using WordPress. WordPress caters its services for less tech savvy end users who want to create simple blogging websites or to utilize a user friendly UI to create online content. Due to the type of audience that major CMS providers, such as WordPress, attracts, web hackers try to take advantage of these opportunities to attack users who are not privy to web security. Coupled with the fact that WordPress is also one of the most targeted and attacked CMS platforms, CMS security should be of utmost importance for all users and stakeholders. Drupal as a CMS is primarily created for the seasoned and tech savvy user, so system security is a major priority for Drupal developers and users. However, as web attacks grow in sophistication, all CMS users should be cognizant of the dangers of web attacks that target their respective CMS systems. Nothing is a safe bet in the game of cybersecurity. Thus, all CMS users should be aware of the security solutions that are available to them in order to maximize their web security.

 

The attendees will gain a better understanding of how to best secure Drupal websites in regards to IT system structure and respective security measures. They will learn the importance of the application layer (layer 7) in today’s computing systems/networks and how web applications can present a litany of security concerns. Additionally, we will provide insight into popular questions that users may suggest, such as:

  • What are the security aspects of Drupal and Acquia in terms of securing the application layer and how are they helping your websites?
  • What’s the difference between Acquia Cloud Shield and Acquia Cloud Edge Protect?
  • What other solutions are available in the market, including Amazon Web Service Web Application Firewall and more?
  • If cyber security should be scalable, how can it be accomplished?

 

Lastly, the session will provide a checklist for building safer websites, a recent web attack trends infographic, and practical security guidelines for websites built on Drupal and Acquia.

 

More detailed logistics is as follows:

1. Why CMS websites are getting hacked.

  • CMS (Drupal/Wordpress/Joomla) famous hacking incidents
  • Is Drupal particularly more vulnerable? The industry types for Drupal websites (government, hospitals, banks, etc.)

2. Can I build an invincible Drupal website?

  • The importance of application layer security and what about Acquia’s layer 7 security?
  • What’s available for this? What does AWS WAF lack? Why is it not usable?
  • What makes a scalable security solution?

3. What it takes for you to build an invincible Drupal website

  • Your Drupal site relies on underlying infrastructures. Who’s liable for a crashed or vulnerable website? Based on the quote from Acquia’s technical consultant, “Security is also the responsibility of the application owner” suggest? Web hosting providers are responsible for keeping their servers secure, keeping the data centers up and running handling heavy traffic seamlessly. Infrastructure and platform providers are doing their jobs and YOU are liable for your own data. That’s the concept of shared responsibility across the application owner and the vendors.
  • What CMS should you choose? CMS solution that secures network layer and server system layer. You’ve come to the right place as Drupal and Acquia satisfy these categories.
    • Drupal’s security compliance
    • Acquia’s security aspects and its reliance on AWS infrastructure
  • What about the application layer? You cannot blame Drupal for your data leakage. As application owners/developers, everyone in your team should understand the importance of building secure website, dedicate for secure coding and security testing, execute proper access management and utilize appropriate security solutions (e.g. WAF) to withstand any sort of vulnerability.

3. Any suggestions for my website built on Drupal and Acquia?

  • After all, you want sites that resist all cyber-attacks, scale indefinitely to any traffic volume, stay operational during disasters, and prove resistant to coding errors. Let’s see how close you are with the checklist here.
  • Database encryption is also recommended
  • Acquia Cloud Edge does protect application layer but you need a web application firewall with low false positive rates in order to maximize the deterrence of web attacks

Session Track

DevOps

Experience Level

Beginner

Drupal Version