Maintaining Drupal Security

Drupal Security

Creating and maintaining a secure site is a primary concern of many developers and administrators. The past few years have shown a dramatic rise in publicized data breaches. Cyberattacks and hacking have been flagged as ever-growing threats and pressure has increased to secure both private and public sector data.

Many types of attacks can put a site at risk, including SQL injections and cross-site scripting. Even more worrying for companies are data from Verizon’s 2013 report. Inside, they describe the demographics and types of attacks executed and who has been affected. 75% of attacks were found to be untargeted and opportunistic. Furthermore, over 30% of companies included in the report were businesses with under 100 employees; 79 were in retail. One might think that because a business is small and less important than big corporations, it will not be affected as much. The data shows only that they are likely to be safe from targeted attacks – not that they are free from danger.

Thus, those who worry about security have legitimate concerns. However, with the right precautions and awareness, the potential of becoming a victim is greatly diminished. Drupal can help. Those using Drupal can trust experienced developers to close security gaps and write secure code. Drupal is known for its good practices and secure framework, setting an example for other CMSs. For example, the White House expected Drupal to make their site more secure according to an Associated Press article.

On his blog, Dries Buytaert, creator of Drupal, spoke of its dedication to security. He notes how Drupal is one of the first CMSs to have a dedicated security team; it also remains the most transparent and responsive. He wants Drupal users and coders to have the tools to make great modules, in addition to being held accountable to follow best practices.

Open-Source Security

It is easy to associate open-source software with 'lesser products' than their commercial counterparts. However, the two should not be confused. In many cases, developers coding for free do not have the same resources as an in-house team at a company. That said, Drupal is not small – it has a large developer and user base committed to producing the best product available.

The heart of the matter, though, is security. Where security is concerned, open-source is optimal. It is at least as secure, and oftentimes more secure, than a proprietary option. Why? Anyone can look at the code to find, report, or fix security holes. A closed-source project has a small team that is limited in their ability to spot errors and vulnerabilities.

To further illustrate the power of open-source, a comprehensive audit revealed that at least 90% of security holes found in Drupal sites were the result of custom themes or modules – closed-source projects. These errors were made by developers who didn’t have the scrutiny of the Drupal community to support them.

Additionally, an IBM report on open-source software found that a ‘community-wide review and audit’ was faster and sometimes more thorough. They said that it was likely that contributing developers attempt to make code secure to remain a trusted and esteemed member of the community. The speed of a security fix is also important. Open-source material may have multiple programmers working on fixes at once. On the other hand, closed-source programmers are limited in number and likely have many things to do other than attend to a singular fix.

One last benefit of open-source is the ability for anyone to perform audits or evaluations of core. Even those not using the software may find areas of insecurity, recommending against using it to the public. No such warning has been issued about Drupal.

Drupal Security Team

Though open-source has the potential to be one of the best ways to ensure secure code, it needs to be fostered. Such a task is entrusted to the Drupal Security Team. It was established in 2005 and currently has 42 experienced members. Issue reports are submitted to these individuals when users find errors in the publicly available code.

To resolve the issues, the team reviews how much the bug affects supported Drupal releases. They contact the group in charge of the code (whether it be in the core or a contributed module) to offer advice about fixing it. If the vulnerability is not patched, it is made clear to users that the module is unsupported because the developer chose not to fix it. However, if it is fixed, it is thoroughly tested and only released once it has been deemed secure.

The team’s job is not limited to receiving and responding to error report tickets. They actively assist others with making secure code and modules by providing security-related documentation to developers. In addition, they present at major Drupal meetings like DrupalCon events and camps. They raise awareness about best practices and provide relevant security information to administrators and coders.

To be a part of the security team, a user must be a valued and trusted community member, proven by a track record. This record would include notifying the team of security concerns and following correct channels in doing so. It also means working to make fixes for issues, meeting members of the team at conventions, and helping with public issue queues.

Drupal Security Report

A lot of people might not expect Drupal to have its own security white paper. However, to show their dedication to ensuring a secure CMS, Drupal published its own Drupal Security Reportsponsored by a variety of expert Drupal firms like Acquia, Cydeck, and Chapter Three.

Free for anyone to download, this report gives historical information, trends, and current data about the state of Drupal security. It provides those unsure or unconvinced of Drupal’s secure nature with the information required to prove itself. For example, included in this document is a chart on the types of vulnerabilities reported in the core and contributed parts of Drupal.

Internal Security Resources

The Drupal Administration Guide has a whole chapter devoted to securing your site. Topics include using HTTPS, different security risk levels, and a comprehensive guide about how to secure files using permissions. These topics are not the only ones covered – it will tell you how to configure for security and, equally as important, what not to do.

One subchapter suggests contributed modules and how to use them. You can sort through many different categories such as session management, securing files, and IP & email blacklisting. Most of this section of the Administration Guide focuses on protecting your site by boosting security. It also features a section concerning what to do if hacked where the security team provides a template of what to send them to immediately fix the problem.

People can check best practices on the Security Drupal group. Developers may receive community support here before releasing a module. Once again, the Drupal community provides its users with unrivaled assistance. Usually this kind of service would require paying an external security firm.

Drupal security advisories are very important resources for any Drupal administrator. They are meant to point out potential security vulnerabilities and offer solutions. Each advisory notifies users of which version is affected, how serious the risk is, from where it is exploitable, and which vulnerability is taken advantage of.

The advisories are not necessarily big issues, but they encourage administrators to keep their version of Drupal as up-to-date as possible. To do so often entails upgrading to a slightly newer core or module version that includes new safeguards. Three categories of advisories are maintained – Drupal core, contributed projects, and public service announcements. Users can subscribe to a mailing list to be notified of any new security advisories.

External Auditing

In addition to the assistance that Drupal gives its users, site administrators can ensure their site security is airtight through other channels. Third parties can be hired to audit sites and provide an objective analysis of holes found. Using one of these services can be a good idea if custom code is added or if sensitive information is stored on the site.

One example is Acquia Insight, the service offered by trusted Drupal experts at Acquia. This software tests your site automatically for configuration settings. Any that might cause the site to be insecre are listed and suggestions are given. Checks for specific versions and distributions of Drupal are also run. Tests include analyzing code and checking for patches to keep a site updated. With the site score (out of 100) given, Insight makes essential security easier for administrators.

Acquia also offers a personal Security Audit. After establishing what the administrator’s expectations are, they test the site manually and review configurations not only for Drupal, but also the supporting PHP, MySQL, and Apache. Using Acquia in this capacity will not require the administrator to do much at all – Acquia even upgrades the site and installs updates, evaluating again once they are in place.

Sucuri is a web security and malware expert who will monitor changes to a site and remove malware. Non-specific to Drupal, Sucuri and others like it are useful because they provide general security maintenance.

Security Modules

Drupal developers and users can also take an active role in managing the security of their sites by installing security-related modules. A number of modules have been developed for this very purpose.

The Security Review module is one of the most popular security modules and functions similarly to Acquia Insight. It tests automatically for a number of mistakes users often make. Some errors in configuration settings include file permissions, input formats, allowed file extensions in uploads, and passwords included in emails. Failed logins are also logged. Using Security Review to catch mistakes can be a beneficial safeguard.

Login History and Persistent Login are two session security tools. Login History will create a table to log user login timestamps. Persistent Login can be used to control how long logins are remembered and which pages remember credentials. These modules enable administrators to check for irregularities and oversee regular operations.

If you use SSL on your site or have a certificate, you may use Secure Pages to redirect pages to SSL pages. This functionality can be used to ensure administrative duties can only happen on secure parts of your site.

For Drupal developers or those working with Drupal backend code, Coder includes the Coder Review. This tool attempts to correct code according to Drupal API modifications and recognizes code not in line with Drupal code standards. Developers can use it to fix their code and make it more secure – others can use it to verify an underlying level of security.

As long as you remain attentive and install updates, Drupal will grant you a secure website. In the modern Internet environment, such a solution is optimal.