security

If you are working with an application that sends email, you’ve probably come across “DKIM” which is cryptographic signing of emails to prevent impersonation of people within an organisation. Unfortunately AWS SES only supports DKIM signing for domain identities - not single-address identities. This means even if your application only sends email from a single address such as contact@example.com - to set up DKIM you need the entire example.com domain verified....

Video Slides

S3 has a feature which allows you to generate signed URLs which are valid only for a predefined period of time. This makes it much safer to distribute URLs via email/slack etc.. Process Find the object in the S3 console and note the bucket name and object path. Ensure your AWS credentials are loaded into your environment. Use the AWS CLI to create a pre-signed URL: # TTL is the number of seconds until the URL expires....

AWS KMS is a managed service for cryptographic functions in AWS. This service allows you to offload the tough job of key lifecycle management to Amazon. These snippets will allow you to perform basic cryptographic functions - encypt, decrypt, and rewrap. It is assumed you already have a KMS key provisioned, and you have a IAM user with permissions to perform the relevant operations. Encrypt the Contents of a File This command encrypts the contents of contents....

Originally posted 2018-08-08 on the PreviousNext blog. With attackers and data breaches becoming more sophisticated every day, it is imperative that we take as many steps as practical to protect sensitive data in our Drupal apps. PreviousNext use Amazon RDS for our MariaDB and MySQL database instances. RDS supports SSL encryption for data in transit, and it is extremely simple to configure your Drupal app to connect in this manner....

Slides Resources Check out my post from the original talk for the resources shown in this presentation. Photo credit: @technerdteitzel.

Securely managing application secrets can be challenging - especially in complex, multi-datacenter environments. Many common secret management tools and services only solve specific use cases, and are often coupled to specific cloud providers. HashiCorp Vault is an open-source secret management tool designed to support distributed applications and infrastructure as first-class citizens. It provides powerful features such as: Centralised secret storage Dynamic secrets Encryption as a Service Identity brokering Access control management Audit logging This session will introduce some important Vault concepts and operational considerations, before diving into a technical demonstration of the current Drupal integration capabilities....

Originally posted 2017-11-24 on the PreviousNext blog. Even tech giants like Uber are bitten by poor secret management in their applications. The snippet below describes how storing AWS keys in their repository resulted in a data breach, affecting 57 million customers and drivers. Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company....

Every Drupal application has its secrets - and I don’t mean that dodgy code you wrote during an all-nighter. Database credentials, API keys, personally identifiable information - a secret is any data which could cause harm to your organisation if exposed. This session will introduce the concepts of secrets and secret management, before moving onto practical examples of securely storing secrets in Drupal. Video Unfortunately the recording doesn’t include the slides, see below if you would like to reference them....