Your SlideShare is downloading. ×
Keeping your Drupal site secure 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Keeping your Drupal site secure 2013

204
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
204
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Keeping your Drupal Site Secure Stéphane Corlosquet scorlosquet@gmail.com Training at BADCamp October, 2013
  • 2. General tips ● Use HTTPS, SSH, SFTP ● Strong password policy ● Server – LAMP stack ● Require SSH keys ● Roles and permissions ● Keep your site settings secure – – – Permissions Text formats PHP filter
  • 3. Drupal 7 ● Stronger password hashing / salt ● Login flood control – ● Protected cron – ● prevents brute-force credential guessing prevents Denial of Service attacks Update manager – Update module from the web UI
  • 4. Modules enhancing security ● Secure login ● Password policy ● Paranoia ● Hacked! ● Permissions Lock
  • 5. Drupal specific hosting ● Can your hosting provider help you improve your security process? ● ● ● Insight (part of Acquia Cloud hosting) Pantheon (self-service security updates) Tuned for Drupal security (and performance) ● Code, DB, uploaded files, config ● Managed security updates: – Remote administration (Acquia)
  • 6. Security process ● Ongoing maintenance ● Cost ● Managed hosting ● Drupal.org packaging infrastructure
  • 7. Security process ● Drupal Security Team ● Keep Drupal code secure in core and contrib ● Educate the community on security best practices – – – – ● Developers Site builders Site administrators and users Decision makers Security Advisory for every security release
  • 8. Security process
  • 9. Developers & site maintainers ● Follow Drupal APIs and best practices ● Take & verify backups ● Sanitize backups for sharing
  • 10. Cross Site Scripting
  • 11. Drupal 8 ● Twig as templating language – – ● WYSIWYG in core – – ● Automatically sanitizes strings on output No PHP in templates Streamlined filter mechanism (server and client side) No more full HTML as last resort Local image input filter – Only allow images from same site
  • 12. Book on Security in Drupal
  • 13. References ● DGD7 chapter 6 ● http://drupal.org/security ● http://www.drupalscout.com/ ● http://groups.drupal.org/best-practices-drupal-security
  • 14. Thanks! ● Stéphane Corlosquet: – – – scorlosquet@gmail.com @scorlosquet http://openspring.net/

×