The Acquia Help Center contains Drupal and Acquia product knowledge that you can use to help you as you develop your Drupal websites, including much of the security information that started here on Drupal Scout.
As we've developed our security review offering we've come up with this outline. We don't follow all the steps on every site because they sometimes have specific concerns we address. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.
The first few are relatively simple to perform. The last three (manual review, and putting it all in a report) are the hardest.
Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is: Introduction to CSRF. Now let's learn how to protect it.
As Matt Cheney likes to say "Much like Scrabble, the S is an important letter on the internet." If you really care about the data you are sending across the internet you want to make sure you are using SFTP instead of FTP, SSH instead of Telnet, and HTTPS instead of HTTP. So, within a Drupal site how can you use HTTPS to secure the data sent to and from your site and prevent sessions from being hijacked?