Review: Acquia Webinar on Drupal Security
Last week I attended the Acquia webinar 'Protect Your Drupal Site Against Common Security Attacks'. It was a nice primer on how the Drupal Security Team functions and some basic ideas about Drupal security.
Presenter Greg Knaddison is a member of the Drupal Security Team and has his hands in all things security when it comes to Drupal.
The webinar covered a range of topics, from general security theory like defense in depth, to a comparison of how various open source projects handle security, to resources for Drupal developers and site managers to harden their sites.
The three things that I feel were the most beneficial/important from the webinar are as follows:
- Security Review Module can run a report on a site and see if there are any permissions or modules that are out of sorts. It's hook-able so that additional checks can be implemented, and it has Drush support. The module will even check for evidence of attacks on the site (such as lots of unsuccessful login attempts). The report it generates links you to information on how to resolve the issues it finds.
- CrackingDrupal.com - Greg Knaddison's website and book on Drupal security vulnerabilities. This is a good resource for anyone writing new modules or even coding on the theme layer. I suggest that you pick up a copy of the book to have as a resource (it's still good for D7).
- DrupalSecurityReport.org - This report, commissioned by Acquia and other leading Drupal firms, "looks at how Drupal handles the important task of maintaining security in systems that are built to take input from a variety of sources." Greg mentioned in the webinar that this report will be updated periodically.
Additionally I'll mention that Drupal has a dedicated security team of 38 members and you can learn how to report issues, what the security team does, and how to receive the security announcements by visiting the security team page on Drupal.org
Drupal clearly has a grasp on security that is head and shoulders above many other open source CMSs. There is still room for improvement along the lines of in app updates and notification, but the Drupal Security Team does a great job of making sure that if you keep your site up-to-date with their recommended security updates, you can be confident that your Drupal site won't be an easy target.
For those interested in viewing the entire webinar, a recorded copy is located at: http://www.acquia.com/resources/recorded_webinars.