Free resources online for protecting your Drupal site

There are lots of great resources online about how to secure your Drupal site. The CrackingDrupal.com site is meant to be one of those resources, but there are also others available elsewhere. Here are some of the best resources available from around the internet with Drupal specific security information.

Drupal.org Handbooks

The Drupal.org handbooks are probably the most natural place to look and in fact they have three great areas of resources.

Writing secure code provides advice about secure code. It can be a bit hard to understand the flow and examples, but this is still a great resource.
Secure configuration looks at the non-code aspects of configuring your site.
Security team provides insight into the policies and procedures of the Drupal Security Team. It's the policies which are most important to a typical user.

University of Pennsylvania School of Arts and Sciences Pages

The University of Pennsylvania is using Drupal for a lot of different sites. They have been actively reviewing and finding problems in Drupal's contributed modules for over a year now. They are also providing documentation (on their site) about how to secure Drupal.

Some examples:

Drupal Security Configuration
Drupal approved modules which means that they have reviewed the modules for security problems.
Drupal security considerations provides some Penn specific and some general advice about Drupal sites.

Nadeau Software Consulting

The Nadeau Software Consulting company provides an extensive online resource in 3 parts. Their advice comes from a strong system administrator perspective about how to secure Drupal within the Context of Linux/Apache.

From CrackingDrupal.com

Aside from this blog there are a few other resources on this site:

List of security focused contributed modules
Text filtering cheat sheet for developers and themers
A PDF version of Cracking Drupal Chapter 1 and the table of contents.

Other blog sites

Safe string theory for the web by Steven Wittens is a great resource. One final mention is Heine Deelstra's Blog which covers a lot of things but also frequently covers security.

Edited to include more resources from this site and Steven Wittens site.

Comments

I'd also add Steven Witten's

Submitted by dalin (not verified) on Tue, 01/12/2010 - 08:09.

I'd also add Steven Witten's treatise Safe String Theory for the Web as a straightforward and thorough explanation of how to handle strings in various contexts.

The treatise of Witten's is

Submitted by Jason (not verified) on Mon, 02/21/2011 - 15:01.

The treatise of Witten's is very helpful for understanding how to handle strings. This blog is also helpful in making Drupal more secure. The XSS cookie issue and Administrator Blocks permissions are only two helpful tips I've come across on here thus far. Kudos guys!

Jason

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Module

If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.

Recent Blog Posts

Improvements to Security in Drupal 7

Posted by greggles

0 comments
Why counting vulnerabilities is not a sufficient method of comparing product security

Posted by greggles

0 comments
Notes from Linux Security Tunables by Kees Cook

Posted by greggles

0 comments