Scout Custom - In-depth, manual review of your site
The security of your website and application is something to take seriously. As members of the Drupal Security Team and having written the only book on Drupal security we at Drupal Scout take security very seriously. We also co-authored the first comprehensive white paper on Drupal security. We offer specific services for site and application security review as an integrated unit or as individual pieces. We believe that security is a process, not a project, and that site owners must be equipped with knowledge, support, and training in addition to periodic expert reviews.
Drupal Custom Code Review
When doing custom reviews we often provide training though both services are available separately.
Our review services culminate in a written report which we deliver to you and use as a way to frame a final oral report with developers and project stakeholders. We combine the results of the interviews and code/configuration research into a gap-analysis compared to relevant industry best practices. This is then prioritized based on the unique needs/services of your site to give a set of recommendations in order of importance.
1. Drupal core and contributed module configuration analysis
Certain configurations can open a vector for attack on your site. Visitors to your site should be able to interact under the conditions you have set, and no more. We start by asking some background questions about your site and review its configuration to identify potential weak points. We utilize a mix of automated and manual reviews to efficiently analyze any size of site.
2. Targeted code analysis
Where are the majority of the weaknesses in your site? The answer may surprise you – for most sites it is in custom modules and custom theme template files. After our combined years of involvement in the Drupal security team, we are familiar with the most common pitfalls that trap Drupal developers. We've built a set of static analysis tools to review Drupal-specific PHP code to find vulnerabilities. We apply these tools and in-depth visual review of the code to identify weaknesses and gain a sense for the size and scope of the problems with your site.
If the problems we find are in core or contributed modules we will work with fellow members of the Drupal Security Team to get the issues fixed and released to the public. For vulnerabilities identified in custom development we will provide recommendations, solutions for fixing the problems, or training for your team.
3. Training and certification in Secure Drupal Development
An integral part of any site review is to communicate to the client how to avoid problems in the future. Our training is designed to give you the tools you need to protect yourself. For your developers, we will review best practices with the Drupal API so that they can analyze core, contributed modules, and their own code to eliminate vulnerabilities before they are added to your site.
We certify each student's completion of the training. The training includes an exercise where we evaluate the ability of the student to identify weaknesses in the code and configuration of a sample Drupal site. To put it in geek speak, this training won't teach you how to use hook_form_alter, but if you already know it we will teach you to use it safely.
4. Development and production process review
Do your processes consider sensitivity of communications and data? In a one-day on-site series of interviews (with e-mail followup), we examine the processes related to development and maintenance of your Drupal site to identify potential areas of weakness.
5. Web server and network level analysis
Drupal is just one piece of the software stack – vulnerabilities can exist at the server and network levels as well. If your site is hosted in a professional hosting environment, your host likely has a security review system, but for those running their own servers we work with an extremely skilled local partner to provide this level of review.