SlideShare a Scribd company logo

Doing Drupal security right

Gábor Hojtsy
Gábor Hojtsy

Gábor Hojtsy gave a presentation on doing Drupal security right. He discussed common web application security risks like SQL injection, cross-site scripting, and insecure direct object references. He explained how Drupal addresses these issues through features like input filtering, form tokens, and access control. Hojtsy emphasized that while Drupal provides secure APIs, developers must use them properly. He also discussed Drupal's open security team that works to find and fix vulnerabilities in Drupal core and contributed modules.

Technology
1 of 54
Downloaded 92 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Doing Drupal security right Gábor Hojtsy , Acquia May 7th 2011., Drupalcamp Stockholm With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
Why I’m here? • Maintainer for Drupal 6 • De-facto member of the security team
Why are you here? • Managers? • Site builders? • Themers? • Developers?
Doing Drupal security right
Are you affected?
With relatively simple holes, your administrator user can be taken over.
Open Web Application Security Project’s Top 10 risks http://owasptop10.googlecode.com/files/OWASP Top 10 - 2010.pdf
Security misconfiguration
Heard of the wordpress.com attack?
Secure server • Avoid using FTP at all cost (Total Commander is an enemy) • Who do you share your server with? Are you confident? Run other apps? • Keep your OS, PHP, SQL server, etc. up to date
Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Look into using paranoia.module • Watch your input formats (you can be googled)
Injection
index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
Drupal approach • db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array (‘:value’ => $value, ‘:id’ => $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
Cross Site Scripting (XSS)
index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
64% likeliness a website has Cross site scripting issues https://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
Always consider the type of output needed
Authentication & sessions
• Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
Insecure direct object references
index.php?id=12 db_query(“SELECT * FROM {node} WHERE nid = :id”, array(‘:id’ => $_GET[‘id’]));
Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • $select->addtag(‘node_access’); • Form API checks for data validity
Cross Site Request Forgery (CSRF)
<img src=”http://example.com/ user/logout” />
http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?delete=12” />
Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
Insecure cryptographic storage
Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
Failure to restrict URL access
Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
Insufficient transport protection
Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
Unvalidated redirects
http://example.com/index.php? target=evil.com
Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
Is Open Source secure?
“Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
“Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
Is Drupal secure?
Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
Design. Educate. Fix.
What’s supported? • Drupal core and all(!) contributed projects on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases (development versions only for very popular modules) • Only current and one earlier versions are supported: now 7.x and 6.x
Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
Doing Drupal security right
These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation created by Gábor Hojtsy Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
Questions?
Thank you! Gábor Hojtsy, Acquia @gaborhojtsy

More Related Content

What's hot (20)

PDF
Unleashing Creative Freedom with MODX (2015-09-03 at GroningenPHP)
Mark Hamstra
 
PDF
Unleashing Creative Freedom with MODX (2015-09-08 at PHPAmersfoort)
Mark Hamstra
 
PPTX
Hibernate Performance Tuning @JUG Thüringen
Thorben Janssen
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
PPTX
Saving Time with WP-CLI
Taylor Lovett
 
PDF
— Knock, knock — An async templates — Who’s there? - Alexander Khokhlov | ...
Elixir Club
 
PDF
State of search | drupal dinner
Joris Vercammen
 
PPTX
Solr
Peter Svehla
 
PPT
Java build tool_comparison
Manav Prasad
 
PDF
Flask restless
Michael Andrew Shaw
 
PDF
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 
PDF
State of search | drupalcamp ghent
Joris Vercammen
 
PPTX
WordPress Theme Development by Sharif Mohammad Eunus
Abul Khayer
 
PDF
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PDF
Real World REST with Atom/AtomPub
Peter Keane
 
PDF
Life outside WO
WO Community
 
PDF
DefCamp 2013 - Http header analysis
DefCamp
 
PPT
Coding with style: The Scalastyle style checker
Matthew Farwell
 
PDF
State of search | drupalcon dublin
Joris Vercammen
 
PDF
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
Unleashing Creative Freedom with MODX (2015-09-03 at GroningenPHP)
Mark Hamstra
 
Unleashing Creative Freedom with MODX (2015-09-08 at PHPAmersfoort)
Mark Hamstra
 
Hibernate Performance Tuning @JUG Thüringen
Thorben Janssen
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Saving Time with WP-CLI
Taylor Lovett
 
— Knock, knock — An async templates — Who’s there? - Alexander Khokhlov | ...
Elixir Club
 
State of search | drupal dinner
Joris Vercammen
 
Solr
Peter Svehla
 
Java build tool_comparison
Manav Prasad
 
Flask restless
Michael Andrew Shaw
 
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 
State of search | drupalcamp ghent
Joris Vercammen
 
WordPress Theme Development by Sharif Mohammad Eunus
Abul Khayer
 
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Real World REST with Atom/AtomPub
Peter Keane
 
Life outside WO
WO Community
 
DefCamp 2013 - Http header analysis
DefCamp
 
Coding with style: The Scalastyle style checker
Matthew Farwell
 
State of search | drupalcon dublin
Joris Vercammen
 
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 

Similar to Doing Drupal security right (20)

PDF
Drupal security
Jozef Toth
 
ODP
Drupal Security Hardening
Gerald Villorente
 
ODP
Drupal Security Hardening
Gerald Villorente
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
PPT
Drupal security
Techday7
 
PDF
Drupal Security Seminar
Calibrate
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
PDF
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
PPT
Hack-Proof Your Drupal App
Erich Beyrent
 
PPTX
Drupal Security: What You Need to Know
Mediacurrent
 
ODP
Scout xss csrf_security_presentation_chicago
knaddison
 
PDF
Security - Drupal Decision Makers training
scorlosquet
 
PDF
Understanding and Implementing Website Security
Drew Gorton
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
PDF
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
PDF
Is Drupal Secure?
David Timothy Strauss
 
PDF
Is Drupal secure?
Four Kitchens
 
PDF
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
Drupal security
Jozef Toth
 
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Gerald Villorente
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Drupal security
Techday7
 
Drupal Security Seminar
Calibrate
 
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
Hack-Proof Your Drupal App
Erich Beyrent
 
Drupal Security: What You Need to Know
Mediacurrent
 
Scout xss csrf_security_presentation_chicago
knaddison
 
Security - Drupal Decision Makers training
scorlosquet
 
Understanding and Implementing Website Security
Drew Gorton
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Hong Kong Drupal User Group - Nov 8th
Wong Hoi Sing Edison
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Ann Lam
 
Is Drupal Secure?
David Timothy Strauss
 
Is Drupal secure?
Four Kitchens
 
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
Ad

More from Gábor Hojtsy (17)

PDF
Open source project management at scale
Gábor Hojtsy
 
PDF
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
PDF
Drupal 8 multilingual APIs
Gábor Hojtsy
 
PDF
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
PDF
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
PDF
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
PDF
Multilingual Drupal
Gábor Hojtsy
 
PDF
Drupal security - Configuration and process
Gábor Hojtsy
 
PDF
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
PDF
Come for the software, stay for the community
Gábor Hojtsy
 
PDF
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
PDF
Here comes localize.drupal.org!
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
PDF
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Open source project management at scale
Gábor Hojtsy
 
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
Drupal 8 multilingual APIs
Gábor Hojtsy
 
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
Everything multilingual in Drupal 8
Gábor Hojtsy
 
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
Multilingual Drupal
Gábor Hojtsy
 
Drupal security - Configuration and process
Gábor Hojtsy
 
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
Come for the software, stay for the community
Gábor Hojtsy
 
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
Here comes localize.drupal.org!
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Ad

Recently uploaded (20)

PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
UiPath DevConnect 2025: Agentic Automation Community User Group Meeting
DianaGray10
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PPTX
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PPTX
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
UiPath DevConnect 2025: Agentic Automation Community User Group Meeting
DianaGray10
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 

Doing Drupal security right

  • 1. Doing Drupal security right Gábor Hojtsy , Acquia May 7th 2011., Drupalcamp Stockholm With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  • 2. Why I’m here? • Maintainer for Drupal 6 • De-facto member of the security team
  • 3. Why are you here? • Managers? • Site builders? • Themers? • Developers?
  • 6. With relatively simple holes, your administrator user can be taken over.
  • 7. Open Web Application Security Project’s Top 10 risks http://owasptop10.googlecode.com/files/OWASP Top 10 - 2010.pdf
  • 10. Secure server • Avoid using FTP at all cost (Total Commander is an enemy) • Who do you share your server with? Are you confident? Run other apps? • Keep your OS, PHP, SQL server, etc. up to date
  • 11. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
  • 12. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Look into using paranoia.module • Watch your input formats (you can be googled)
  • 14. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
  • 15. Drupal approach • db_query(“UPDATE {mytable} SET value = :value WHERE id = :id”, array (‘:value’ => $value, ‘:id’ => $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
  • 17. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
  • 18. 64% likeliness a website has Cross site scripting issues https://www.whitehatsec.com/assets/presentations/11PPT/PPT_topwebvulns_030311.pdf
  • 19. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
  • 20. Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
  • 21. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
  • 22. Always consider the type of output needed
  • 24. • Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
  • 25. Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
  • 27. index.php?id=12 db_query(“SELECT * FROM {node} WHERE nid = :id”, array(‘:id’ => $_GET[‘id’]));
  • 28. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • $select->addtag(‘node_access’); • Form API checks for data validity
  • 29. Cross Site Request Forgery (CSRF)
  • 32. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
  • 34. Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
  • 35. Failure to restrict URL access
  • 36. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
  • 38. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
  • 41. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  • 42. Is Open Source secure?
  • 43. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
  • 44. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
  • 46. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
  • 47. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
  • 49. What’s supported? • Drupal core and all(!) contributed projects on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases (development versions only for very popular modules) • Only current and one earlier versions are supported: now 7.x and 6.x
  • 50. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
  • 52. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation created by Gábor Hojtsy Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  • 54. Thank you! Gábor Hojtsy, Acquia @gaborhojtsy