Server administrator

Overview

Most Drupal security vulnerabilities are discovered via manual code reviews or by accident. This session will introduce two automated approaches to detecting Cross-Site Scripting (XSS) and SQL Injection (SQLi) security vulnerabilities and present progress to date in applying them to Drupal.

Dynamic Analysis, or "data tainting," involves tagging actual data within a running program received from untrusted sources as "tainted," propagating the taintedness to any data derived from tainted data, and detecting when tainted data is used in dangerous circumstances. For example, data tainting would detect when any data derived from unsanitized GET request parameters is outputted within HTML.

Static Analysis involves performing data-flow analysis directly on source code to detect when certain kinds of security vulnerabilities are possible. Like Dynamic Analysis it uses a data tainting model but instead of operating within a live running program on real data it studies all possible code paths within a program to identify potential problems.

Agenda

* Conceptual introduction to Dynamic Analysis and Static Analysis
* Advantages and disadvantages of each approach
* Current progress and results with Drupal
** System-wide data tainting using Taint PHP
** Using the Schema API for accurate database tainting
** Development of Taint Trace for easier debugging
** "Run-time static analysis" of Drupal Input Formats

Goals

Attendees will learn how Static and Dynamic Analysis can work to improve program security by automatically detecting XSS and SQLi vulnerabilities.

Resources

This session requires only basic PHP development skills. All Drupal module developers are qualified and encouraged to attend.

An update on the State of Drupal.

Overview

This session will show off the results of Drupal's Google Summer of Code 2008 projects. Students who make it to Drupalcon will be demoing their own projects, and we'll also show off projects from the students who can't be there.

Agenda
The following projects will be shown during the course of the session, as time permits.

• Apache Solr Improvements
• New Aggregator for Drupal core
• Bookings API
• Charts module Views integration
• Color module improvements
• Document Import Module
• Embed Widgets
• Revamped Help system
• Icon module
• Image manipulation GUI
• Memetracker
• New nodequeue sub-modules
• OAuth/Services module integration
• Open ID Attribute Exchange
• PluginManager
• Core search improvements
• Security scanner
• Usability Suite
• Validation API
• Version Control API / Project module integration
• Views datasources

Goals

This session will allow Summer of Code students to show off their hard work, and for the Drupal community to get a first-hand look at all the cool stuff that was produced over the summer. Summer of Code students typically make excellent employees as well, for those looking to hire. ;)

---

NOTE TO ORGANIZERS: I put down "90 minutes" because that'd be a much more comfortable time frame during which to show off 21 projects. But every other year we've managed to do it in 60, so if 90 minute slots are short, you can push the time allotment back.

This will just be an informal gathering of the women who make it to Drupalcon: the Drupalchix (also known as the "7% club" ;)).

We did this in Barcelona and Boston, and it was awesome. :D

Topics might include things like:
* What are our various backgrounds/experiences prior to coming to Drupal?
* What is it that we’re currently working on?
* What have our experiences in the community been like?
* What can we do to encourage more women in open source/Drupal specifically?