Blog

Improvements to Security in Drupal 7

<

p>Drupal 7 has several security improvements. People often ask if the book Cracking Drupal covers Drupal 6 or Drupal 7. The answer is that it mostly covers both because security issues did not change much between the versions. So the book is still just as relevant for Drupal 7 with the exception of the topics below.

Why counting vulnerabilities is not a sufficient method of comparing product security

A lot of people find themselves in the position of trying to figure out which software package is the most secure, or at least more secure between a field of choices. They often try to do this by comparing the number of vulnerabilities in the two packages, going to vulnerability databases like MITRE-CVE or NIST-NVD.

However, consider this example timeline of vulnerability disclosure from a sample issue on full disclosure

<

blockquote>
2013.05.11 Vulnerability reported to the vendor

Notes from Linux Security Tunables by Kees Cook

I recently attended Drupalcon Portland where I attended Kees Cook's session on Linux System Security Tunables. He had some great general security advice before the session began. You can watch the video on the Drupalcon site and read the slides there. Here are my notes from the session.

Authentication hygiene (e.g. ssh keys)

  • know where your credentials live
  • keep away from devices with remote access
  • store encrypted, tied to a specific device - if you lose control of that device, revoke those keys

Using XSS to steal access

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

  • An attacker will enter Javascript that steals the visitor's browser cookie
  • An administrator will unknowingly execute this Javascript
Syndicate content