About Drupal Scout
Drupal Scout is dedicated to one purpose: providing security review services for Drupal sites. Founded by two professionals who have a combined experience of over 6 years working with security issues in Drupal. As of August 2011 Drupal Scout is part of Acquia.
Why Drupal security?
Drupal is, of course, an amazing web application framework. It's got great security features and has a strong API that helps keep it safe. But it's unfortunately fairly easy to make mistakes in configuring your site or creating custom modules and themes that might introduce security holes.
Who is Drupal Scout?
Drupal Scout's team is Ben Jeavons and Greg Knaddison.
Ben and Greg have trained over 60 students across four Drupal Security classes.
Who is Ben?
Ben has been working with Drupal for over 4 years and working specifically with security issues in Drupal for over 2 years as a member of the Drupal security team. He is the lead author of the Drupal Security Report and the Security Review module. Ben is coltrane on drupal.org and is Certified to Rock.
Security issues in Drupal contrib identified by Ben:
- SA-CONTRIB-2009-060 - Meta tags (Nodewords) - Access bypass
- SA-CONTRIB-2009-094 - NGP COO/CWP Integration (crmngp) - Multiple Vulnerabilities
- SA-CONTRIB-2010-005 - Own Term - Cross site scripting
- SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting
Who is Greg?
Greg has been working with Drupal for over 6 years and on security issues for over 4 years. He wrote Cracking Drupal, the only book to provide a deep dive into security in Drupal, published by John Wiley and Sons. He was a co-author of the Drupal Security Report. Greg is greggles on drupal.org and is Certified To Rock.
Security issues in Drupal core and contrib identified by Greg:
- Password Policy XSS, CSRF
- Stickynote XSS, CSRF
- Date SQL Injection
- Hotblocks Access Bypass, XSS, CSRF
- Homebox for Organic Groups XSS
- Chatroom CSRF
- Tagadelic XSS
- ImageX access bypass
- Dashboard XSS
- Drupal Core - Access Bypass
- Token (and friends) XSS
- Userpoints CSRF
- Workflow XSS
- Stock Module XSS (an access bypass that leads to XSS)
- Browscap XSS
Why did Drupal Scout join Acquia?
Since launching, Drupal Scout quickly became recognized for the strength of our services, products and vision. However we found that we lacked some of the skills, infrastructure, and scale necessary to be fully successful in this niche. Acquia, your enterprise guide to Drupal, provides a perfect place for us to provide these services and products to as broad of a group as possible.
Somewhat related note: if you find a security vulnerability in Acquia software see how to report a vulnerability in Acquia managed software.