This site is archived.

Server administrator

Automatic Security Testing with Static and Dynamic Analysis

bjaspan's picture
Submitted by bjaspan on Wed, 07/02/2008 - 17:10.

Session recording

Placement
Session time: 
08/30/2008 - 15:00 - 08/30/2008 - 15:45

Overview

Most Drupal security vulnerabilities are discovered via manual code reviews or by accident. This session will introduce two automated approaches to detecting Cross-Site Scripting (XSS) and SQL Injection (SQLi) security vulnerabilities and present progress to date in applying them to Drupal.

Dynamic Analysis, or "data tainting," involves tagging actual data within a running program received from untrusted sources as "tainted," propagating the taintedness to any data derived from tainted data, and detecting when tainted data is used in dangerous circumstances. For example, data tainting would detect when any data derived from unsanitized GET request parameters is outputted within HTML.

Static Analysis involves performing data-flow analysis directly on source code to detect when certain kinds of security vulnerabilities are possible. Like Dynamic Analysis it uses a data tainting model but instead of operating within a live running program on real data it studies all possible code paths within a program to identify potential problems.

Agenda

* Conceptual introduction to Dynamic Analysis and Static Analysis
* Advantages and disadvantages of each approach
* Current progress and results with Drupal
** System-wide data tainting using Taint PHP
** Using the Schema API for accurate database tainting
** Development of Taint Trace for easier debugging
** "Run-time static analysis" of Drupal Input Formats

Goals

Attendees will learn how Static and Dynamic Analysis can work to improve program security by automatically detecting XSS and SQLi vulnerabilities.

Resources

This session requires only basic PHP development skills. All Drupal module developers are qualified and encouraged to attend.

State of Drupal

Dries's picture
Submitted by Dries on Wed, 07/02/2008 - 09:47.

Session recording

Placement
Session time: 
08/27/2008 - 09:00 - 08/27/2008 - 10:30

An update on the State of Drupal.

Summer of Code Showcase

webchick's picture
Submitted by webchick on Sat, 06/21/2008 - 15:15.

Session recording

Placement
Session time: 
08/29/2008 - 09:00 - 08/29/2008 - 10:30

Overview

This session will show off the results of Drupal's Google Summer of Code 2008 projects. Students who make it to Drupalcon will be demoing their own projects, and we'll also show off projects from the students who can't be there.

Agenda
The following projects will be shown during the course of the session, as time permits.

Goals

This session will allow Summer of Code students to show off their hard work, and for the Drupal community to get a first-hand look at all the cool stuff that was produced over the summer. Summer of Code students typically make excellent employees as well, for those looking to hire. ;)

---

NOTE TO ORGANIZERS: I put down "90 minutes" because that'd be a much more comfortable time frame during which to show off 21 projects. But every other year we've managed to do it in 60, so if 90 minute slots are short, you can push the time allotment back.

Drupalchix

webchick's picture
Submitted by webchick on Sat, 06/21/2008 - 14:31.
Co-presenters: 
Placement
Session time: 
08/27/2008 - 16:00 - 08/27/2008 - 16:45

This will just be an informal gathering of the women who make it to Drupalcon: the Drupalchix (also known as the "7% club" ;)).

We did this in Barcelona and Boston, and it was awesome. :D

Topics might include things like:
* What are our various backgrounds/experiences prior to coming to Drupal?
* What is it that we’re currently working on?
* What have our experiences in the community been like?
* What can we do to encourage more women in open source/Drupal specifically?