Drupal Security Review

Robyn
Lead Drupal Architect
Dec
19
2012

Drupal Security Review

Drupal Security

When deciding on a software solution for your company's digital needs, security is often one of the top concerns. Online security can be quite the vexing and daunting topic, often seen more as diving down the rabbit hole of electronic mayhem than anything more, but that's where the robust and thorough security of Drupal comes into play.

Open source software, like Drupal, has the added bonus of having thousands of talented individuals work on a particular problem. With entire teams and methodology devoted to ensuring its steadfast reputation as a secure CMS, it's comforting to know modules and code procured from the official Drupal site are as secure as possible.

It's Official

The official Drupal Security Team has four goals:

  • Resolve reported security issues
  • Provide assistance for contributed module maintainers in resolving security issues.
  • Provide documentation on how to write secure code.
  • Provide documentation on securing your site

The security team is well-versed in online software best practices and serves as a resource for all custom module maintainers and code contributors to utilize when submitting custom projects. Furthermore each piece of code and module is continually evaluated against possible risks and, when such evaluations demonstrate potential security holes, are marked as such and sent back to the contributor for correction.

There is also an active security group discussion on Drupal.org devoted to helping out those in need of security issues or concerns and addressing questions others may have. This page contains such helpful topics as "Common code mistakes that open vulnerabilities" and "Enabling the overlay module for anonymous: Security risks"

In keeping with the theme of Drupal's open source collaboration community, users are encouraged to post topics and ask questions regarding security, and ways in which they might improve their code or secure their site.

Ease of Updates

A big focus of Drupal is the ease of updating. When something goes wrong and a security vulnerability is found, be it via a contributed module or perhaps even in the core of Drupal itself, the first priority is to get the offending code patched and the site secure.

By utilizing common practices and standards, Drupal sites built properly can be patched within minutes with little downtime and risk of broken features. Proper code practices ensure the core code is never touched by site developers - the entirety of a Drupal site can be customized and maintained without ever adjusting core, allowing for simple version updating and patching.

The same can be said for contributed modules, by utilizing hooks and various APIs provided, no customization of contributed code is typically needed to produce a fully featured and robust site, allowing for simple module replacement and version updating upon security lapse discovery.

Safety through planning

When the unfortunate does happen and a lapse in security is found, perhaps in a contributed module or even with Drupal core itself, it helps to be prepared to handle the necessary updates. Budgeting time and resources for periodic Drupal module updates and security patches is sound planning and worth the consideration, especially as your site grows and the number of modules provided by the community increases.

In the event of a major security update, it helps to have the available resources to plug the risk ASAP. Updating a module to close a security threat may be as simple as updating the module's code, or as complex as applying a patch and update. Regardless of the threat, frequent checking and updating of your site's modules is good practice.

When planning for a site's development quota, be sure to leave sufficient time throughout the life of your Drupal site to accommodate periodic module and core code updates. What they say regarding an ounce of prevention is true, and keeping on top of necessary releases through proper developer allocation can prevent major headaches down the road. An hour spent updating contributed modules could prevent 10 hours of cleanup and restoration later.

Peace of mind

Web security is an ever-changing game. What passes today as secure code may not stay the same tomorrow when new vulnerabilities surface. Using Drupal means you never have to face these risks alone, let alone attempt to correct the problem by yourself. There's power in numbers when it comes to both discovering and fixing potential software flaws, and Drupal has those numbers.

There's peace of mind in knowing not only is your online software secure, but that it's also in an active state of safeguarding against attacks, both past and present.

 

Additional Resources

Marketing Automation and Drupal  - What is Marketing Automation & how effectively will it integrate into a Drupal website?

Secure Authentication and Drupal 

Ensure that the features, modules, and security of your site are up-to-date. Learn more about Mediacurrent's Drupal Support Service

comments powered by Disqus