Blog

Free resources online for protecting your Drupal site January 11

There are lots of great resources online about how to secure your Drupal site. The CrackingDrupal.com site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information.

Drupal.org Handbooks

The Drupal.org handbooks are probably the most natural place to look and in fact they have three great areas of resources.

Protecting your Drupal module against Cross Site Request Forgeries December 10

Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is.

What is Cross Site Request Forgery - CSRF

Techniques in Attacking and Defending XML/Web Services November 13

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

Firewalls are not aware of the xml content
Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
WSDL exposes the schema and message structure
Injection attacks are possible via the XML parameters
Data replay is still possible
Denial of service is still possible, especially with parameters

The OWASP Top 10 Vulnerabilities for 2010 (release candidate 1) November 13

The OWASP Top 10 is a set of classes of vulnerabilities that are very high risk. They are provided as a tool that application developers can use to judge whether their application meets best practices based on whether or not it has facilities to deal with these top 10 items.

The Internet's 10 most dangerous people you don't know November 13

rsnake

Robert Hansen (who actually wore a suit, which was quite surprising to me) gave out a list of 10 people he thought were the most dangerous people for the internet that you don't actually know. These are people responsible for infrastructure or services that are important to the safety and ongoing functionality and yet are not generally recognized as important/dangerous people.

10. Network engineer at C|Net

The Book

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Get your copy now.

Security Review Service

If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.