Free resources online for protecting your Drupal site

There are lots of great resources online about how to secure your Drupal site. The CrackingDrupal.com site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information.

Drupal.org Handbooks

The Drupal.org handbooks are probably the most natural place to look and in fact they have three great areas of resources.

Writing secure code provides advice about secure code. It can be a bit hard to understand the flow and examples, but this is still a great resource.
Secure configuration looks at the non-code aspects of configuring your site.
Security team provides insight into the policies and procedures of the Drupal Security Team. It's the policies which are most important to a typical user.

University of Pennsylvania School of Arts and Sciences Pages

The University of Pennsylvania is using Drupal for a lot of different sites. They have been actively reviewing and finding problems in Drupal's contributed modules for over a year now. They are also providing documentation (on their site) about how to secure Drupal.

Some examples:

Drupal Security Configuration
Drupal approved modules which means that they have reviewed the modules for security problems.
Drupal security considerations provides some Penn specific and some general advice about Drupal sites.

Nadeau Software Consulting

The Nadeau Software Consulting company provides an extensive online resource in 3 parts. Their advice comes from a strong system administrator perspective about how to secure Drupal within the Context of Linux/Apache.

From CrackingDrupal.com

Aside from this blog there are a few other resources on this site:

List of security focused contributed modules
Text filtering cheat sheet for developers and themers
A PDF version of Cracking Drupal Chapter 1 and the table of contents.

Other blog sites

Safe string theory for the web by Steven Wittens is a great resource. One final mention is Heine Deelstra's Blog which covers a lot of things but also frequently covers security.

Edited to include more resources from this site and Steven Wittens site.

Comments

I'd also add Steven Witten's

Submitted by dalin (not verified) on Tue, 01/12/2010 - 08:09.

I'd also add Steven Witten's treatise Safe String Theory for the Web as a straightforward and thorough explanation of how to handle strings in various contexts.

Post new comment

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Get your copy now.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Service

If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.

Recent Blog Posts

Mitigation against CVE-2010-1584 Drupal Context Module XSS

Posted by greggles

4 comments
Zerodayscan and Drupal: finding bugs for fame

Posted by greggles

0 comments
Creating a sanitized Drupal database dump

Posted by greggles

8 comments