Are you worried about the security of your Drupal installation and website? If so then we believe that is a good thing. This is because cyber-crime is forever on the rise and it is in the interests of all of us to try to stem this seemingly forever rising tide!
Responsible webmasters would normally strive totake all possible precautions regarding the security of their website, protecting it and its valuable data from the hackers out there!
Here, we will take a look at the current state of Drupal Security in today’s world.
Drupal Security in a nutshell
The Drupal project, loved by many across the globe, publicly produces vulnerability disclosures and resolutions for the use of everyone due to its open source collaborative model.
Unfortunately, the amount of known vulnerabilities with in Drupal is sometimes seen as an indicator that the code is less secure than other software but this is, in part, due to its success!
With Drupal, its Security Team publishes vulnerability disclosures in the form of ‘Security Advisories’ on a regular basis. This helps to provide webmasters and site administrators with an immediate path to safety with necessary patches, an upgradedrelease, or other mitigation instructions.
The Drupal core itself is now a relatively mature codebase that has been heavily peer-reviewed over time, which helps,and it has also been professionally audited.
Use Drupal API’s correctly
Drupal’s core API tools and techniques also address critical and common security risks when used correctly, but this correct usage depends upon the skills of any given web developer!.
It is fair to say that the majority of the vulnerabilities that exist are often to be found within site-specific, often third party code or custom code that do not use Drupal’sAPIs correctly. We think it is fair to say that this applies equally to other platforms such as WordPress and Joomla too!
In Drupal, Cross-site scripting (XSS) vulnerabilities are all too common and the best security practices are not always understood or communicated well enough. This is an area to pay particular attention to, in our opinion.
Drupal 7 and now Drupal 8 have made huge advances in supplying safer defaults compared to previous versions of the code, but sadly the APIs are not uniform and are often non-standard even today.
Performing a Drupal Security Audit
We think it is best practice to perform regular Drupal website security audits to identify any security vulnerabilities that they may have. You can do this yourself or use specialists to perform a Drupal security audit on your behalf.
There is an organisation, called OWASP, which has created a top ten list of security issues to address across website platforms. This covers major elements such as:
- Injection of code
- Broken Authentication of users
- Cross-site scripting, also called XSS
- Insecure direct object references
- Any misconfiguration of security
- Sensitive data exposure
- Missing function level access control (FLAC)
- Cross-site request forgery also known as CSRF
- The usage of components with known vulnerabilities
- Any URL Redirects and Forwards that have not been validated
Once you have completed your Drupal Security audit, you should address each issue in turn to fix them all.Specialists such as Security Audit Systems can help you with further advice how to address any security issues with your website and database.
If you are a web master then you may have the necessary skills to perform the audit and rectify identified issues on your own.
It is the responsibility of all web developers and web masters to make sure that the sites they control are as safe as possible for both their users and their data.
Whatever you decide to do, we wish you good luck, but we believe doing nothing regarding website security is not an option in this day and age!