Mediacurrent, profile picture
Uploaded byMediacurrent
PPTX, PDF669 views

Drupal Security: What You Need to Know

This document discusses Drupal security best practices. It begins with introducing Mediacurrent and its vision to empower people with open source technology. It then provides an agenda on Drupal security covering Security-First planning, the Drupal security team and resources, common vulnerabilities, and Drupal best practices such as module selection, patching, and API usage. The document emphasizes automating security processes, monitoring advisories, and cultivating a security-focused culture.

Embed presentation

Download to read offline
Drupal Security: What You Need to Know March 25, 2021
The Open Source Expansion Partner
Our vision is to empower every person on the planet with the innovative freedom and community impact that open-source technology offers. Our Vision
Today’s Team Mark Shropshire Senior Director of Development Bobby Gryzynger Senior Developer
Bobby Gryzynger Senior Developer /in/bobby-gryzynger ● From Madison, Wisconsin. Currently in northern NJ ● 5+ years of experience as a Drupal developer ● Enjoys contributing to Drupal development. Has committed work in several contributed modules as well as Drupal core ● Breakfast chef. French toast? Pancakes? I’m your man Skills ● Drupal ● Security ● DevOps ● Project Leadership ● Drupal best- practices
Mark Shropshire Senior Director of Development /in/markshropshire @shrop ● From Concord, North Carolina ● 20+ years of experience as a technical team leader ● Loves empowering teams to excel while using best of class open source technology solutions. ● Passionate about personal and team growth through mentorship, aligning individual purpose with Mediacurrent’s vision ● Plays sax, drums, keys, and bass and has a list of other instruments that he would love to learn! Skills ● Drupal ● Security ● DevOps ● Flutter ● Acquia Site Factory ● Leadership
1. What’s Security-First? 2. Security and The Drupal Community 3. OWASP Top 10 Web Vulnerabilities 4. Drupal Best Practices 5. Q&A Today’s Agenda
What’s Security-First?
Security-First means going beyond compliance to assess risk. It’s both a cultural mindset and a continuous development approach that’s rooted in process automation.
Security-First Planning ● Proactive and collaborative approach with stakeholders ● Layered defense ● Architecture reviews ● Code reviews ● Automated testing ● Continuous improvements ● Security audits (one-offs and ongoing) ● Documentation
Security and The Drupal Community
Drupal Security Team ● Resolves reported security issues in Security Advisories ● Provides assistance for contributed module maintainers in resolving security issues ● Provides documentation on how to write secure code ● Provides documentation on securing your site ● Help the infrastructure team to keep the drupal.org secure ● https://www.drupal.org/security-team
Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Guardr incorporates industry best practices from security standards, regulatory controls, and security certifications. https://drupal.org/project/guardr Drupal Slack: #contrib-guardr
OWASP Top 10 Web Vulnerabilities
| 15 Top 10 Web Application Security Risks Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting XSS Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring https://owasp.org/www-project-top-ten
Drupal Best Practices
Module Selection ● Module Usage ● Issue Queue Activity ● Security ● Manual Review and Testing ● Release Status ● Commit Activity ● Project information ● Risk Assessment ● Benefit A Guide to Drupal Module Evaluation
Module patches ● Sometimes, patches are necessary ● Always submit patches to Drupal.org ● Submitting patches allows: ○ Automated testing ○ Maintainer review ● Patches create: ○ Revision history ○ An opportunity for community input
Use Drupal APIs Use Drupal APIs to secure your contrib and custom code. https://api.drupal.org/api/drupal Writing secure code for Drupal
| 20 // Uh, oh: $my_var = "<script>alert('Attack!')</script>"; Not This: $variables['title'] = "Here's a title: " . $my_var; Instead, this: $variables['title'] = t("Here's a title: @title", ['@title' => $my_var]); Also see Drupal::translation()->formatPlural() t()
| 21 // Uh, oh: $my_var = "<script>alert('Attack!')</script>"; // Oh, no: $my_other_var = "<div>some unexpected HTML</div>"; Not This: $variables['title'] = '<p>' . $my_var . '</p>'; $variables['body'] = $node->get('body')->value . $my_other_var; Instead, this: $variables['title'] = Xss::filter($my_var); $variables['body'] = $node->get('body')->value . Html::escape($my_other_var); Xss::filter() and Html::escape()
| 22 Monitor Drupal Security Advisories ● Drupal core ● Drupal contrib projects ● Public service announcements ● Notifications via email and RSS ● Follow @drupalsecurity on Twitter ● Drupal Slack #security-questions ● Read SA documentation https://www.drupal.org/security
| 23 // Uh, oh: $my_var = ", (SELECT * FROM private_data) as attack"; Not this: Drupal::database()->query('SELECT * FROM node_field_data ' . $my_var); Instead, this: // Better. Drupal::database() ->select('node_field_data', 'd') ->fields('d', []) ->condition('d.nid', $my_var); Drupal:database() // Better yet. Drupal::entityTypeManager()-getStorage('node') ->getQuery() ->condition('nid', $my_var);
| 24 Not this: public function myControllerBuild($nid) { // ... $node = $this->entityTypeManager() ->getStorage('node')->load($nid); // ... $build['node'] = $node->view(); return $build; } Controllers Instead, this: public function myControllerBuild($nid) { // ... $node = $this->entityTypeManager() ->getStorage('node')->load($nid); // ... if($node->access('view', $this->currentUser)) { $build['node'] = $node->view(); } return $build; }
| 25 Secure your open source-based martech stack with this resource for best practices. http://bit.ly/open-source-security Download Now CMO’s Guide to Open Source Security
| 26 Key Takeaways Cultivate a security-first culture. Educate yourself on security risks that can impact your organization. Review and monitor Drupal security advisories. Follow Drupal best practices. Automate security processes. Promptly update security releases.
@Mediacurrent Mediacurrent @Mediacurrent MediacurrentDrupal Mediacurrent.com @Mediacurrent Thank You!

More Related Content

PPTX
Best Practices for Moving to Drupal 9
byMediacurrent
 
PDF
A Better Way to Build and Manage Sites with Rain for Drupal 9
byMediacurrent
 
PDF
Decoupled Drupal and Gatsby in the Real World
byMediacurrent
 
PDF
What to Expect in Drupal 8
byMediacurrent
 
PDF
Prepare Your Drupal 9 Action Plan
byMediacurrent
 
PDF
Paragraphs v Layout Builder - The Final Showdown
byMediacurrent
 
PDF
Creating an Organizational Culture of Giving Back to Drupal
byMediacurrent
 
PDF
Managing Images In Large Scale Drupal 8 & 9 Websites
byMediacurrent
 
Best Practices for Moving to Drupal 9
byMediacurrent
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
byMediacurrent
 
Decoupled Drupal and Gatsby in the Real World
byMediacurrent
 
What to Expect in Drupal 8
byMediacurrent
 
Prepare Your Drupal 9 Action Plan
byMediacurrent
 
Paragraphs v Layout Builder - The Final Showdown
byMediacurrent
 
Creating an Organizational Culture of Giving Back to Drupal
byMediacurrent
 
Managing Images In Large Scale Drupal 8 & 9 Websites
byMediacurrent
 

What's hot

PDF
We Built This City (On Drupal 8)
byMediacurrent
 
PDF
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
byMediacurrent
 
PDF
Choosing Drupal as your Content Management Framework
byMediacurrent
 
PDF
Guide to Component-Based Theming for Drupal 8 and 9
byMediacurrent
 
PDF
Rain + GatsbyJS: Fast-Tracking to Drupal
byMediacurrent
 
PDF
Penn State scales static Drupal to new heights
byMediacurrent
 
PPTX
Is my website accessible? Common mistakes (and how to fix them)
byMediacurrent
 
PDF
Opening Keynote - DrupalCamp St. Louis 2014
byBrad Nowak
 
PPTX
How to Digitally Transform Higher Ed with Drupal
byMediacurrent
 
PDF
Growth hacking with content, marketing automation and your drupal website
byMediacurrent
 
PDF
Leveraging Design Systems to Streamline Web Projects
byMediacurrent
 
PDF
Starting & growing a drupal based business- 6 valuable lessons i have learned
byMediacurrent
 
PPTX
Level Up Your Team: Front-End Development Best Practices
byMediacurrent
 
ODP
Introducing Drupal and Drupal.Org Community in PUP QC, PH
byEleison Cruz
 
PDF
Drupal 8 - what's new?
byEdo
 
PDF
DSC Aswan University info session
byAhmedHany131
 
PPTX
Gsdc intro session
byMiljanorevi1
 
PDF
Shockingly Fast Site Development with Acquia Lightning 4.0
byRachel Wandishin
 
PPTX
Helping the LatinGRAMMYs Reach a Global Audience
byAchieve Internet
 
PDF
Planning & Executing Custom Drupal Integration Projects
byAchieve Internet
 
We Built This City (On Drupal 8)
byMediacurrent
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
byMediacurrent
 
Choosing Drupal as your Content Management Framework
byMediacurrent
 
Guide to Component-Based Theming for Drupal 8 and 9
byMediacurrent
 
Rain + GatsbyJS: Fast-Tracking to Drupal
byMediacurrent
 
Penn State scales static Drupal to new heights
byMediacurrent
 
Is my website accessible? Common mistakes (and how to fix them)
byMediacurrent
 
Opening Keynote - DrupalCamp St. Louis 2014
byBrad Nowak
 
How to Digitally Transform Higher Ed with Drupal
byMediacurrent
 
Growth hacking with content, marketing automation and your drupal website
byMediacurrent
 
Leveraging Design Systems to Streamline Web Projects
byMediacurrent
 
Starting & growing a drupal based business- 6 valuable lessons i have learned
byMediacurrent
 
Level Up Your Team: Front-End Development Best Practices
byMediacurrent
 
Introducing Drupal and Drupal.Org Community in PUP QC, PH
byEleison Cruz
 
Drupal 8 - what's new?
byEdo
 
DSC Aswan University info session
byAhmedHany131
 
Gsdc intro session
byMiljanorevi1
 
Shockingly Fast Site Development with Acquia Lightning 4.0
byRachel Wandishin
 
Helping the LatinGRAMMYs Reach a Global Audience
byAchieve Internet
 
Planning & Executing Custom Drupal Integration Projects
byAchieve Internet
 

Similar to Drupal Security: What You Need to Know

PDF
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
PDF
Doing Drupal security right
byGábor Hojtsy
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
PDF
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
PDF
Drupal Security Seminar
byCalibrate
 
PPTX
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
byBalázs Tatár
 
PDF
Drupal security
byJozef Toth
 
PDF
Security - Drupal Decision Makers training
byscorlosquet
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
PDF
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
PDF
Security by Design: An Introduction to Drupal Security
byTara Arnold
 
PDF
Security by design: An Introduction to Drupal Security
byMediacurrent
 
PDF
Attacking Drupal
byGreg Foss
 
PPT
Drupal security
byTechday7
 
PDF
Understanding and implementing website security
byDrew Gorton
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
ODP
Drupal Security Hardening
byGerald Villorente
 
ODP
Drupal Security Hardening
byGerald Villorente
 
KEY
Drupal Security Intro
byCash Williams
 
PDF
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
Doing Drupal security right
byGábor Hojtsy
 
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
Drupal Security Seminar
byCalibrate
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
byBalázs Tatár
 
Drupal security
byJozef Toth
 
Security - Drupal Decision Makers training
byscorlosquet
 
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
Security by Design: An Introduction to Drupal Security
byTara Arnold
 
Security by design: An Introduction to Drupal Security
byMediacurrent
 
Attacking Drupal
byGreg Foss
 
Drupal security
byTechday7
 
Understanding and implementing website security
byDrew Gorton
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
Drupal Security Hardening
byGerald Villorente
 
Drupal Security Hardening
byGerald Villorente
 
Drupal Security Intro
byCash Williams
 
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 

More from Mediacurrent

PDF
Penn State News: Pivoting to Decoupled Drupal with Gatsby
byMediacurrent
 
PDF
Evolving How We Measure Digital Success in Higher Ed
byMediacurrent
 
PDF
Delivering Meaningful Digital Experiences in Higher Ed
byMediacurrent
 
PDF
Content Strategy: Building Connections with Your Audience
byMediacurrent
 
PPTX
Reimagining Your Higher Ed Web Strategy
byMediacurrent
 
PPTX
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
byMediacurrent
 
PDF
The Nonprofits' Guide to Content Strategy
byMediacurrent
 
PDF
Google Optimize: How Mass.gov Builds Great Government UX
byMediacurrent
 
PDF
How We Win With Agile
byMediacurrent
 
PDF
Georgia Tech's Strategic Drupal Redesign
byMediacurrent
 
PPTX
Marketing Attribution Modeling
byMediacurrent
 
PPTX
Mediacurrent Introduction to Emotional Design 2019
byMediacurrent
 
PDF
Habitat for Humanity and Mediacurrent: Expanding with Drupal 8
byMediacurrent
 
PDF
InteractUSG: Intelligent UX in Human Centered Design
byMediacurrent
 
Penn State News: Pivoting to Decoupled Drupal with Gatsby
byMediacurrent
 
Evolving How We Measure Digital Success in Higher Ed
byMediacurrent
 
Delivering Meaningful Digital Experiences in Higher Ed
byMediacurrent
 
Content Strategy: Building Connections with Your Audience
byMediacurrent
 
Reimagining Your Higher Ed Web Strategy
byMediacurrent
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
byMediacurrent
 
The Nonprofits' Guide to Content Strategy
byMediacurrent
 
Google Optimize: How Mass.gov Builds Great Government UX
byMediacurrent
 
How We Win With Agile
byMediacurrent
 
Georgia Tech's Strategic Drupal Redesign
byMediacurrent
 
Marketing Attribution Modeling
byMediacurrent
 
Mediacurrent Introduction to Emotional Design 2019
byMediacurrent
 
Habitat for Humanity and Mediacurrent: Expanding with Drupal 8
byMediacurrent
 
InteractUSG: Intelligent UX in Human Centered Design
byMediacurrent
 

Recently uploaded

PPTX
ANTI-TUSSIVE CHAPTER NO.05 PHARMACOGNOSY
byGanu Gavade
 
PDF
Planetary Environmentalism and Global Migration in Gun Island.pdf
byBhargav Makwana
 
PPTX
Palta Utsav Open Quiz Prelims Answer.pptx
bySourav Kr Podder
 
PDF
5.India-A-Home-to-Many.pdf/Social science Grade 7 part/:K SANDEEP SWAMY(M.Sc,...
bySandeep Swamy
 
PDF
PULSE according to Physiology special pdf for all medical sectors students & ...
byhttps://www.facebook.com/profile.php?id=61578457231735
 
PPTX
MELA QUIZ 2026 | Silchar Medical College & Hospital | 11-01-2026
byUltimatewinner0342
 
PPTX
CHAPTER NO. 09 HCP BY GG LABORATORY CLINICAL TEST
byGanu Gavade
 
PDF
Myth_History_Climate__Reading_Gun_Island.pdf
byBhargav Makwana
 
PPTX
Overview of SEO optimiser in Odoo 19 Website
byCeline George
 
PPTX
DISCHARGE FROM HOSPITAL (JHASKETAN )(1).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PDF
Halogen-Derivatives.pdf/BY K SANDEEP SWAMY/FOR ONLINE CLASSES CONTACT 9491878325
bySandeep Swamy
 
PPTX
Capacity Building Programme for Teachers on Equitable and Inclusive Education
byMUKHTAR133762
 
PPTX
Prepositions of Place : English Grammar Presentation
byPintoo Dhillon
 
PDF
eSAT-for-Teachers-2025-2028-ver.2-Nov2025 idp.pdf
byJunmelValientes
 
PPTX
HYDROLYSIS OF EASTER (JHASKETAN).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PDF
1. AI for E-content Development: What and Why, 2. E- content Development thro...
byProf. Vinod Kumar Kanvaria
 
PDF
30 Ways Teachers Use AI in 2026 – Practical Classroom Workflows with Monsha f...
byMonsha.AI
 
PPTX
what are the Talent pool in Odoo 19 Recruitment
byCeline George
 
PPTX
Blood, Blood Composition, Blood Groups, Disorders of Blood.pptx
byAshish Umale
 
PPTX
Віртуальна виставка «Гра в життя» – «The Game of Life»
byVinnytsia Regional Universal Scientific Library named after Valentin Otamanovsky
 
ANTI-TUSSIVE CHAPTER NO.05 PHARMACOGNOSY
byGanu Gavade
 
Planetary Environmentalism and Global Migration in Gun Island.pdf
byBhargav Makwana
 
Palta Utsav Open Quiz Prelims Answer.pptx
bySourav Kr Podder
 
5.India-A-Home-to-Many.pdf/Social science Grade 7 part/:K SANDEEP SWAMY(M.Sc,...
bySandeep Swamy
 
PULSE according to Physiology special pdf for all medical sectors students & ...
byhttps://www.facebook.com/profile.php?id=61578457231735
 
MELA QUIZ 2026 | Silchar Medical College & Hospital | 11-01-2026
byUltimatewinner0342
 
CHAPTER NO. 09 HCP BY GG LABORATORY CLINICAL TEST
byGanu Gavade
 
Myth_History_Climate__Reading_Gun_Island.pdf
byBhargav Makwana
 
Overview of SEO optimiser in Odoo 19 Website
byCeline George
 
DISCHARGE FROM HOSPITAL (JHASKETAN )(1).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
Halogen-Derivatives.pdf/BY K SANDEEP SWAMY/FOR ONLINE CLASSES CONTACT 9491878325
bySandeep Swamy
 
Capacity Building Programme for Teachers on Equitable and Inclusive Education
byMUKHTAR133762
 
Prepositions of Place : English Grammar Presentation
byPintoo Dhillon
 
eSAT-for-Teachers-2025-2028-ver.2-Nov2025 idp.pdf
byJunmelValientes
 
HYDROLYSIS OF EASTER (JHASKETAN).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
1. AI for E-content Development: What and Why, 2. E- content Development thro...
byProf. Vinod Kumar Kanvaria
 
30 Ways Teachers Use AI in 2026 – Practical Classroom Workflows with Monsha f...
byMonsha.AI
 
what are the Talent pool in Odoo 19 Recruitment
byCeline George
 
Blood, Blood Composition, Blood Groups, Disorders of Blood.pptx
byAshish Umale
 
Віртуальна виставка «Гра в життя» – «The Game of Life»
byVinnytsia Regional Universal Scientific Library named after Valentin Otamanovsky
 

Drupal Security: What You Need to Know

  • 1.
    Drupal Security: What YouNeed to Know March 25, 2021
  • 2.
  • 3.
    Our vision isto empower every person on the planet with the innovative freedom and community impact that open-source technology offers. Our Vision
  • 4.
    Today’s Team Mark Shropshire Senior Directorof Development Bobby Gryzynger Senior Developer
  • 5.
    Bobby Gryzynger Senior Developer /in/bobby-gryzynger ●From Madison, Wisconsin. Currently in northern NJ ● 5+ years of experience as a Drupal developer ● Enjoys contributing to Drupal development. Has committed work in several contributed modules as well as Drupal core ● Breakfast chef. French toast? Pancakes? I’m your man Skills ● Drupal ● Security ● DevOps ● Project Leadership ● Drupal best- practices
  • 6.
    Mark Shropshire Senior Directorof Development /in/markshropshire @shrop ● From Concord, North Carolina ● 20+ years of experience as a technical team leader ● Loves empowering teams to excel while using best of class open source technology solutions. ● Passionate about personal and team growth through mentorship, aligning individual purpose with Mediacurrent’s vision ● Plays sax, drums, keys, and bass and has a list of other instruments that he would love to learn! Skills ● Drupal ● Security ● DevOps ● Flutter ● Acquia Site Factory ● Leadership
  • 7.
    1. What’s Security-First? 2.Security and The Drupal Community 3. OWASP Top 10 Web Vulnerabilities 4. Drupal Best Practices 5. Q&A Today’s Agenda
  • 8.
  • 9.
    Security-First means goingbeyond compliance to assess risk. It’s both a cultural mindset and a continuous development approach that’s rooted in process automation.
  • 10.
    Security-First Planning ● Proactive andcollaborative approach with stakeholders ● Layered defense ● Architecture reviews ● Code reviews ● Automated testing ● Continuous improvements ● Security audits (one-offs and ongoing) ● Documentation
  • 11.
  • 12.
    Drupal Security Team ●Resolves reported security issues in Security Advisories ● Provides assistance for contributed module maintainers in resolving security issues ● Provides documentation on how to write secure code ● Provides documentation on securing your site ● Help the infrastructure team to keep the drupal.org secure ● https://www.drupal.org/security-team
  • 13.
    Guardr is aDrupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. Guardr incorporates industry best practices from security standards, regulatory controls, and security certifications. https://drupal.org/project/guardr Drupal Slack: #contrib-guardr
  • 14.
    OWASP Top 10Web Vulnerabilities
  • 15.
    | 15 Top 10Web Application Security Risks Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting XSS Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring https://owasp.org/www-project-top-ten
  • 16.
  • 17.
    Module Selection ● Module Usage ●Issue Queue Activity ● Security ● Manual Review and Testing ● Release Status ● Commit Activity ● Project information ● Risk Assessment ● Benefit A Guide to Drupal Module Evaluation
  • 18.
    Module patches ● Sometimes, patchesare necessary ● Always submit patches to Drupal.org ● Submitting patches allows: ○ Automated testing ○ Maintainer review ● Patches create: ○ Revision history ○ An opportunity for community input
  • 19.
    Use Drupal APIs UseDrupal APIs to secure your contrib and custom code. https://api.drupal.org/api/drupal Writing secure code for Drupal
  • 20.
    | 20 // Uh,oh: $my_var = "<script>alert('Attack!')</script>"; Not This: $variables['title'] = "Here's a title: " . $my_var; Instead, this: $variables['title'] = t("Here's a title: @title", ['@title' => $my_var]); Also see Drupal::translation()->formatPlural() t()
  • 21.
    | 21 // Uh,oh: $my_var = "<script>alert('Attack!')</script>"; // Oh, no: $my_other_var = "<div>some unexpected HTML</div>"; Not This: $variables['title'] = '<p>' . $my_var . '</p>'; $variables['body'] = $node->get('body')->value . $my_other_var; Instead, this: $variables['title'] = Xss::filter($my_var); $variables['body'] = $node->get('body')->value . Html::escape($my_other_var); Xss::filter() and Html::escape()
  • 22.
    | 22 Monitor Drupal SecurityAdvisories ● Drupal core ● Drupal contrib projects ● Public service announcements ● Notifications via email and RSS ● Follow @drupalsecurity on Twitter ● Drupal Slack #security-questions ● Read SA documentation https://www.drupal.org/security
  • 23.
    | 23 // Uh,oh: $my_var = ", (SELECT * FROM private_data) as attack"; Not this: Drupal::database()->query('SELECT * FROM node_field_data ' . $my_var); Instead, this: // Better. Drupal::database() ->select('node_field_data', 'd') ->fields('d', []) ->condition('d.nid', $my_var); Drupal:database() // Better yet. Drupal::entityTypeManager()-getStorage('node') ->getQuery() ->condition('nid', $my_var);
  • 24.
    | 24 Not this: publicfunction myControllerBuild($nid) { // ... $node = $this->entityTypeManager() ->getStorage('node')->load($nid); // ... $build['node'] = $node->view(); return $build; } Controllers Instead, this: public function myControllerBuild($nid) { // ... $node = $this->entityTypeManager() ->getStorage('node')->load($nid); // ... if($node->access('view', $this->currentUser)) { $build['node'] = $node->view(); } return $build; }
  • 25.
    | 25 Secure youropen source-based martech stack with this resource for best practices. http://bit.ly/open-source-security Download Now CMO’s Guide to Open Source Security
  • 26.
    | 26 Key Takeaways Cultivatea security-first culture. Educate yourself on security risks that can impact your organization. Review and monitor Drupal security advisories. Follow Drupal best practices. Automate security processes. Promptly update security releases.
  • 27.