This document discusses security best practices for Drupal, including using HTTPS and SSH, strong passwords, keeping the server and site settings secure, and modules that can enhance security. It also covers Drupal 7 security improvements like password hashing and login flood control, as well as the importance of ongoing maintenance, backups, and following the Drupal security process.

1. Security in Drupal
Stéphane Corlosquet
scorlosquet@gmail.com
Training at NYCamp 2012

2. General tips
● Use HTTPS, SSH, SFTP
● Strong password policy
● Server – LAMP stack
● Require SSH keys
● Keep your site settings secure
– Permissions
– Text formats
– PHP filter

3. Drupal 7
● Stronger password hashing / salt
● Login flood control
– prevents brute-force credential guessing
● Protected cron
– prevents Denial of Service attacks
● Update manager
– Update module from the web UI

4. Modules enhancing security
● Secure login
● Password policy
● Paranoia
● Hacked!
● Permissions Lock

5. Security process
● Ongoing maintenance
● Cost
● Managed hosting
● Drupal.org packaging infrastructure

6. Security process
● Drupal Security Team
● Keep Drupal code secure in core and contrib
● Educate the community on security best practices
– Developers
– Site builders
– Site administrators and users
– Decision makers
● Security Advisory for new module releases

7. Security process

8. Developers & site maintainers
● Follow Drupal APIs and best practices
● Take & verify backups
● Sanitize backups for sharing

9. Cross Site Scripting

10. Book on Security in Drupal

11. References
● DGD7 chapter 6
● http://drupal.org/security
● http://www.drupalscout.com/
● http://groups.drupal.org/best-practices-drupal-security