Monday, September 7, 2009

Drupal Security, Part 3

After hardening our Web server, I revisited the subject of hardening Drupal. There are many topics to consider, but the single most important is keeping modules up to date. In the default configuration, Drupal periodically checks for available updates for installed modules; heed any warnings on the administrative status-report page by upgrading indicated modules as soon as possible. It's a good idea to subscribe to Drupal's security news email list or to follow Drupal security on Twitter in order to receive timely alerts.

The official Drupal site features a wealth of information on how to set up a secure site. The chapter on best practices and the section on secure configurations are good places to start. Once those concepts are incorporated, the next step is to install any appropriate security-oriented modules, such as login security and persistent login. There are currently over 100 such modules available, so it could take a while to determine which are best suited for a particular application. Invest the time.

Before writing any modules or adding PHP code snippets, read the chapter on writing secure code. It covers the common vulnerabilities and how to correctly use the various Drupal APIs to avoid them. The chapter on coding standards is also useful.

Thorough testing during development is critical, and scanners can play an important role in ensuring an application is secure. Drupal modules such as security scanner and outside projects such as Grendel-Scan are available to provide automated penetration testing.

If all of this seems like a lot to absorb, then I recommend reading Cracking Drupal. In this book, Greg Knaddison discusses the various security concepts and how they specifically apply to Drupal. The book is well-organized, and features many useful examples and recommendations. I read the book as a Drupal newbie and then again after a few months of coding, and I learned something from it each time. For me, the scattered nature of the documentation on the Drupal site left me wondering if I was missing anything important; having all the information in one place, however, has given me a well-structured, coherent view of Drupal security.