Steps to a Drupal Security Review

As we developed our security review offering we came up with this outline. We don't follow all the steps on every site because sites sometimes have specific concerns that we want to address before the general set. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.

The first are relatively simple to perform. The last three (manual review, and putting it all in a report) are the hardest.

Steps to review a Drupal site's security

Automated or semi-automated steps:

Santize the database, remove all e-mail addresses, remove passwords, etc.
Install one or more of mail_logger, reroute_email, advanced_mail_reroute, maillog so that your testing won't accidentally send mails.
Is core modified anywhere? Are their contribs modified anywhere? check with Hacked!
Are those modifications documented somewhere or just modified? Ideally patch files should exist somewhere like /sites/example.com/patches/ or in the module directory itself with a Drupal.org issue number and comment number as part of the patch name).
Install Security Review module on the live site and local site and make sure it passes
Use a stronger than normal rainbow table to find anyone who has an advanced role and a weak password (See this issue for some related work).
Run Coder Security on all contributed modules and custom code
Run Secure Code Review on contributed modules and all custom code

Manual steps:

Install vuln and browse the site as a human
Interview the client: What does the site do? What can users do on the site? What content can they post, what fields can they edit? Based on those interviews
Probe the site, entering fuzz content and/or Javascript
Manually review the custom theme
Manually review custom code

The manual review is based on knowledge of secure coding practices. That can be gained from reading the handbook and reading Cracking Drupal.

Suggestions and report:

Suggest SSL, especially for logins and admins, if they run a site where that is worth it
Suggest OpenID (part of core), Janrain Engage, etc. so that credentials like username/password can be remembered once and used on multiple sites.
Prepare report for issues including
- a narrative describing the above process
- prioritized vulnerability list with severity and estimated difficulty to fix
- reference material describing vulnerabilities found (e.g. what is XSS?)
- screenshots of vulnerabilities where applicable
- a general assessment of the site

Originally posted on drupalscout.com

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Module

If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.

Recent Blog Posts

Improvements to Security in Drupal 7

Posted by greggles

0 comments
Why counting vulnerabilities is not a sufficient method of comparing product security

Posted by greggles

0 comments
Notes from Linux Security Tunables by Kees Cook

Posted by greggles

0 comments