Your SlideShare is downloading. ×
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Keeping your Drupal site secure 2013

217

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
217
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Keeping your Drupal Site Secure Stéphane Corlosquet scorlosquet@gmail.com Training at BADCamp October, 2013
  • 2. General tips ● Use HTTPS, SSH, SFTP ● Strong password policy ● Server – LAMP stack ● Require SSH keys ● Roles and permissions ● Keep your site settings secure – – – Permissions Text formats PHP filter
  • 3. Drupal 7 ● Stronger password hashing / salt ● Login flood control – ● Protected cron – ● prevents brute-force credential guessing prevents Denial of Service attacks Update manager – Update module from the web UI
  • 4. Modules enhancing security ● Secure login ● Password policy ● Paranoia ● Hacked! ● Permissions Lock
  • 5. Drupal specific hosting ● Can your hosting provider help you improve your security process? ● ● ● Insight (part of Acquia Cloud hosting) Pantheon (self-service security updates) Tuned for Drupal security (and performance) ● Code, DB, uploaded files, config ● Managed security updates: – Remote administration (Acquia)
  • 6. Security process ● Ongoing maintenance ● Cost ● Managed hosting ● Drupal.org packaging infrastructure
  • 7. Security process ● Drupal Security Team ● Keep Drupal code secure in core and contrib ● Educate the community on security best practices – – – – ● Developers Site builders Site administrators and users Decision makers Security Advisory for every security release
  • 8. Security process
  • 9. Developers & site maintainers ● Follow Drupal APIs and best practices ● Take & verify backups ● Sanitize backups for sharing
  • 10. Cross Site Scripting
  • 11. Drupal 8 ● Twig as templating language – – ● WYSIWYG in core – – ● Automatically sanitizes strings on output No PHP in templates Streamlined filter mechanism (server and client side) No more full HTML as last resort Local image input filter – Only allow images from same site
  • 12. Book on Security in Drupal
  • 13. References ● DGD7 chapter 6 ● http://drupal.org/security ● http://www.drupalscout.com/ ● http://groups.drupal.org/best-practices-drupal-security
  • 14. Thanks! ● Stéphane Corlosquet: – – – scorlosquet@gmail.com @scorlosquet http://openspring.net/

×