Articles

Creating a "read only" Drupal front end with dynamic content management

While many Drupal sites and site-builders focus on creating interactive sites where anonymous and authenticated users can interact with the content to varying degrees, there are still some environments and sites where a "static" version makes more sense for most of the public.

The main benefits are:

  • more confidence that your site cannot be "hacked"
  • in some cases performance improvement (since Drupal's dynamic features are removed).

There are at least three strategies to achieve this, which can be mixed/matched as appropriate.

How to become a Drupal security expert

I use the term "expert" with some hesitancy. There are simply so many elements to becoming an expert in web application security that it's hard to list them all. However if someone does all these things then they are well on their way to becoming an expert in Drupal security.

Managing Patches & Getting your Drupal patch accepted

When creating complex Drupal sites it is often necessary to create patches to modules or Drupal core. Those patches should be managed locally in an organized fashion and contributed up stream. Once they are contributed to an issue queue on Drupal.org your job is not done: it needs to be committed before you can stop worrying about it.

Using Hacked! module to compare Drupal site code to standard code

One of the first things we do when supporting a site or reviewing it for security is look for modifications to the code.

We use the Hacked module to achieve this because it works quickly and automates a lot of the work in what is a normally very tedious process.

Here's some basic usage:

Contributed modules for Securing your Drupal Site

Among the thousands of modules on drupal.org there are over 100 in the security category. Unfortunately some of those are abandoned or inaccurately tagged. We've looked at every module and compiled this resource to help you understand the security-related community modules available. Not all modules provide security exactly, some are about hardening your site against weaknesses and others are about monitoring and reporting abuses.

Counting Lines of Code

When we get a new customer interested in the Drupal Scout Custom Security Review we will ask them for some metrics about their site to help us understand how much work we think it will be to review their site. We general ask:

Automated Security Reviews for Drupal

These are the slides for a presentation on Automated Security Reviews I'm doing at Drupalcamp Colorado. You may also be interested in Steps to a Drupal Security Review.

Is Open Source Software Secure Enough?

acquia-drop.png

This article has been moved to the Acquia Help Center!

The Acquia Help Center contains Drupal and Acquia product knowledge that you can use to help you as you develop your Drupal websites, including much of the security information that started here on Drupal Scout.

Using filter functions as intended: filter_xss and classes

Consider this code found in a page.tpl.php file.

  <body class="<?php print filter_xss($_GET['parameter']); ?>">

The documentation for filter_xss states:

Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.

So, you might think the above code is safe - it's using filter_xss afterall.

Improvements to Security in Drupal 7

acquia-drop.png

This article has been moved to the Acquia Help Center!

The Acquia Help Center contains Drupal and Acquia product knowledge that you can use to help you as you develop your Drupal websites, including much of the security information that started here on Drupal Scout.

Pages