Sunday, August 3, 2014

DrupalCamp Colorado 2014: Day 1 Session Notes - Part 2

Session 3: Intro to Front-End Ops

Presenter: Ryan McVeigh @rymcveigh

Very interesting and funny presenter. Was very energetic about the different libraries that you can use to help improve your daily tasks.

  • Speed is the metric we measure by
  • Speed of application (app or web page)
  • Speed of tools
  • Speed of the development

 
Why do FEOps on top of regular job?
  • Mature FEOps benefit the people who don’t have time to think about this stuff
  • The less work you have to do on repetitive task, reduce mistakes
Basic Automation Tools
  • Yeoman - Scaffolding tool for modern webapps (helps you build web app faster, using a series of questions --- generator-drupal-theme
    • Allows you through script, to quickly create drupal themes using a series of questions
  • Grunt - Task runner (watch application during development, performs defined tasks)
    • less, sass, coffescript, stylus, jshint, handlebars
  • Gulp - Another task runner, faster version of grunt using parallel for tasks like compass
    • Very fast to learn, streamlined, written in javascript
  • Bower - package management system for web 
    • runs on JSON, very minimal and fast package builder
Testing Tools
  • QUnit - runs backend test to make sure nothing is broken
  • Gremlin - attacks site with tons of random clicks and events, not predefined
  • Selenium - testing dropdowns and form elements, other defined tasks
  • Casper - navigation testing
Performance Tools - both will check your site and rate it and recommend steps you can
  • Pingdom
  • Pagespeed

Session 4: Drupal 8 for Drupalistas

Presenter: Diana Dupuis from Amazee Labs @dianadupuis

Site building
  • Drupal 8 is not ready, bugs are plenty, documentation and code contribs are needed and encouraged.
  • Changes with blocks have fields and types, content management improvements over features, display modes for form and full display without the needs of display suite, better built in translation features
Theming and twig
  • No more template.php, yaml files, info file is touchy with spacing, no more add js - uses a library yaml file, twig has a certain way and suggest how to organize your files
  • SASS is integrated
  • Structure - there is now a core folder and a module folder - u place modules here instead of sites all...

Session 5: Attacking Drupal

Presenter: Greg Foss +Greg Foss @heinzarelli
Slides: GitHub.com/gfoss/attacking-drupal

Why Drupal
  • Widely used, hackers are becoming more interested as more important sites use it.
Intelligent fingerprinting
  • Cms explorer - scans for modules, looks for security issue
  • Blind Elephant - looks at exact version where cms explorer doesn't
GitHub hack
  • Looks for salt strings which can expose passwords and more
Use .gitignore to not accidentally push something to github that you shouldn't have

Gaining access
  • If you have ssh access Use drush, drush uli
  • Gives you the admin password rest link.... Omg 
  • User enumeration - testing logins until Drupal confirms that it exists
What to do?
  • Integrate security team early on in development - test after major changes, periodically test by 3rd party
  • Harden the application, php, server
  • Two factor authentication
  • Captcha - do not omit challenge 
  • User enumeration module
  • Password requirements
  • Remove formats from comments
  • Upload files - no php, PDFs can have exploits (.htaccess in iles directory fixed this)
  • Turn off development modules
  • nstall security review
  • Install paranoia
Greg followed up some of his tips with a video of himself hacking a dev site. Greg is one scary guy lol!

No comments:

Post a Comment