This document is a guide on Drupal security, authored by several experts in the field, highlighting key practices for securing Drupal installations and custom modules. It covers essential topics such as data encryption, site auditing best practices, and compliance with security standards like PCI DSS and HIPAA. Additionally, it provides tools and resources for enhancing Drupal security, including specific modules for encryption and key management.

1. An Introduction to Drupal Security
Security by Design:

2. Intros
Chris Teitzel
@technerdteitzel
/in/christeitzel
Chris has been working in Drupal for almost 8 years. During that time
he has worked on projects spanning the globe in front-end design,
e-commerce and security. His passion is for making technology
accessible to all skillsets.
Founder / CEO Lockr
2

3. Intros
Luke Probasco
Presenter Photo
@geetarluke
/in/lukeprobasco/
Manages Drupal business for Townsend Security. DrupalCon, Camp,
and Summit speaker. Security professional. Music enthusiast.
Drupal GM/Townsend Security
3

4. Intros
Mark Shropshire (shrop)
@shrop
/in/markshropshire
drupal.org
Mark brings 20 years of experience leading technical teams to his role
as Mediacurrent’s Open Source Security Lead. He is a leader in tech
community organizing, blogging, podcasting, and public speaking
within the Drupal community. Mark is passionate about architecting
systems to solve workflow problems and improve efficiencies using
open source software. He is also the maintainer of the Guardr Drupal
security module suite.
Mediacurrent Open Source Security Lead
4

5. Style Guide
Contents
Security by design in Drupal
Encrypting sensitive data
Key management (encryption & API)4
3
2
1
5
Site audit and security best practices
Resources to improve security5
Style Guide6 Takeaways

6. Security by design in Drupal1

7. 7
Security by Design

8. 8
Compliance, Security, and You
● Data discovery
● PCI DSS, HIPAA, GDPR, etc.
● Hosting and compliance
● See your security team for internal policies and controls
Security by Design

9. 9
Keep Drupal Secure
● Keep Core and contrib modules up to date
● Use Drupal API
● Use version control
● Use social and enterprise login
● Use secure passwords
● Two factor authentication
● Log and review logs (watchdog and additional contrib)
● Don’t forget about infrastructure security
Security by Design

10. 10
Security in Custom Modules
● Never trust user input
○ Filter plain text with check_plain() or t()
○ Filter HTML with filter_xss()
● Query properly
○ Do not concatenate values into db_query()
○ Instead use parameterized values %s %d %f %b
● Do not output db values directly (don’t trust user input)
● Protect user input - think before you save
Security by Design

11. Site audit and security best practices2

12. 12
What is an audit?
● Review by someone not on the team
○ (internal or external)
● Review of software systems
● Review of supporting infrastructure
● Review of other related systems
Site audit and security best practices

13. 13
Performing an audit
● Collect data manually and with tools
○ Analyze the data
○ Prioritize findings
● Eliminate false positives
● Complete usable report(s)
Site audit and security best practices

14. 14
OWASP Top 10 Most Critical Web Application Security Risks
● Injection
● Weak authentication and session management
● XSS
● Insecure Direct Object References
● Security Misconfiguration
● Sensitive Data Exposure
● Missing Function Level Access Control
● Cross Site Request Forgery
● Using Components with Known Vulnerabilities
● Unvalidated Redirects and Forwards
Site audit and security best practices

15. 15
Drupal audit tools
● Drupal Core reports
● Site Audit
● Security Review
● Sensitive Data
● Hacked!
● Coder
● Review of site config, users, permissions, and roles
● Manual code review
Site audit and security best practices

16. Encrypting sensitive data3

17. 17
Encrypting Data in Drupal
● There is no native way to encrypt data in Drupal
● Compliance and risk management drive encryption
● Use encryption based on industry standards
● Use cryptographically strong keys - no passwords!
● See NIST Special Publication 800-57 for more info
Encrypting Sensitive Data

18. 18
What Encryption Should I Use?
● Use AES, RSA, Triple DES, or other standard methods
● Beware of non-standard encryption
● Example: Homomorphic Encryption
○ Has not received wide review and acceptance
○ Cannot be certified by a standards body
○ Cannot achieve FIPS 140-2 validation
○ Compliance regulations prohibit its use
Encrypting Sensitive Data

19. Key management (encryption & API)4

20. 20
McDonald's has acknowledged that a leaky API
exposed personal information for users of its
McDelivery mobile app in India. The flaw exposed
names, email addresses, phone numbers, home
addresses and sometimes the coordinates of
those homes, as well as links to social media profiles.
BankInfoSecurity.com
Key Management

21. 21
Our review has shown that a threat actor obtained
access to a set of AWS keys and used them to access
the AWS API from an intermediate host with another,
smaller service provider in the US... Through the AWS
API, the actor created several instances in our
infrastructure to do reconnaissance.
OneLogin.com
Key Management

22. 22
Payment
Gateways
Email
Marketing
SMTP Relays Authentication
Shipping Cloud Providers Encryption APIs
Key Management

23. Resources to improve security5

24. 24
Encryption Modules
● Encrypt
● FieldEncrypt
● Real AES
● Encrypt User
● Encrypted Files
● Webform Encrypt
Resources to Improve Security

25. 25
Key Management Modules
● Key
● Townsend Security Key Connection
● Lockr
Resources to Improve Security

26. 26
Guardr
Guardr is a Drupal distribution with a combination of
modules and settings to enhance a Drupal application's
security and availability to meet enterprise security
requirements.
https://drupal.org/project/guardr
Resources to Improve Security

27. Takeaways6

28. Questions?
Thank you!
@Mediacurrent