This session will explore the ongoing work of the Drupal Association to fortify Drupal sites against evolving threats. Beginning with an overview of software supply chain vulnerabilities, we delve into the transformative Auto-Updates Initiative, empowering smaller site operators with tools for seamless updates. We'll survey The Update Framework (TUF) and its protocols to ensure package integrity. We'll then showcase the robust Rugged TUF Server and Composer TUF plugin, that together help to safeguard the Drupal community. Come see how we're shaping the future of Drupal security.

Prerequisite

- Familiarity with how Composer is used to install package dependencies
- Basic understanding of deployment processes
- Basic understanding of web application security fundamentals
- Knowledge of Drupal deployment and update best-practices would be beneficial.

Target Audience

Drupal developers, site administrators, security professionals, PHP developers, DevOps engineers, technical decision-makers, and researchers interested in software supply chain security and best practices.

Outline

The developers behind the Rugged TUF Server will provide a comprehensive overview of the efforts and initiatives undertaken by the Drupal Association to address software supply chain attacks and enhance the security of Drupal sites.

1. Introduction: What is a software supply chain? What are software supply chain attacks? How are Drupal sites vulnerable to such attacks?
2. The Auto-Updates Initiative: The Drupal Association has been a leader in developing solutions to address these threats. Chief among these are the development of tools to help smaller Drupal site operators keep their sites up-to-date.
3. The Update Framework (TUF): Coming from an academic analysis of supply chain attack vectors, the TUF Specification outlines protocols for generating metadata that can be used by clients to verify that the packages they are downloading haven't been tampered with by bad actors.
4. Composer TUF Extension: The Drupal Association sponsored the development of an extension to Composer that verifies each module, theme and profile downloaded from drupal.org.
5. Rugged TUF Server: The Drupal Association also sponsored the development and security audit of the Rugged TUF Server. It's architecture was designed to to keep the signing keys used in generating TUF metadata isolated and secure, while keeping up with the needs of the drupal.org packaging pipeline.

Learning Objectives

- Better understand the threats of software supply chain attacks
- Learn best-practices for securing Drupal sites against supply chain attacks
- Learn how the Drupal Association has been building solutions that will protect the entire Drupal community from supply chain attacks

Experience level
Intermediate