Project a Secure Web 2.0 (with Drupal)
paolo.ottolino
Synopsis and Objectives: Web 2.0 is extremely powerful, offering a large amount of different features and requesting for new ones, continously. Nowadays, it is no more possible to build Web 1.0 website. Web 2.0 is a requirement: cloud-ready, multidevice, handy for UX/UI design, etc. The only way to accomplish that is by the means of an highly structured CMS product (like Drupal), a SW application; but it is prone to vulnerabilities and misconfigurations. Since the web is constantly exposed to threats and not designed having "security in mind", enforcing a "Secure Web 2.0" is needed. Security should be addressed thoroughly from beginning, as (one of) the most strong constraint. Security should be correctly designed. Using Drupal is the first step. Then Security should be managed. This session explain how to. The proposed approach lead to a "project aimed to security", by the means of: - Web 2.0 Risk Governance: Strategy for DevOps and Security (applied to Company the site is developed for) - Web 2.0 Security: Risk-Threat-Vulnerability Map (applied to current building site) - Web 2.0 Architecture: "All that is not there, it does not break" (Henry Ford), "... It does not weigh" (Colin Chapman), "... it does not cost" (Ratan Tata) - CMS (un)likeness: reasoning on OWASP for issuing main properties to compare - CMS skimmer: issuing patching as (one of) the most important functionality to be compared - CMS selection: considering all the project phases (Design, Develop, Deploy, Mantain, Optimize)
This speach is useful for both Drupal 7 and Drupal 8