Skip to main content

Blog Post

Guardr for Drupal 8: Meeting Enterprise Security Requirements

What is Guardr?

Guardr logo Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements. These security requirements have been added after a review and study of industry best practices from security standards, regulatory controls, and security certifications. These include but are not limited to:

  • NIST - National Institute of Standards and Technology
  • PCI DSS - Payment Card Industry Data Security Standard
  • FERPA - Family Educational Rights and Privacy Act
  • CISSP - Certified Information Systems Security Professional
  • HIPAA - Health Insurance Portability and Accountability Act
  • ISO/IEC 27001 - International Organization for Standardization/International Electrotechnical Commission Information technology — Security techniques — Information security management systems — Requirements

Guardr's philosophy is based around the CIA Information Security Triad where confidentiality, integrity, and availability are held in high regard.

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.
 

Maintaining and Improving Guardr

In addition, Guardr maintainers are always on the lookout for modules and settings that will harden the security of Drupal by protecting against risks detailed by OWASP in the "OWASP Top 10 Most Critical Web Application Security Risks." Some of these risks are ones that the Drupal community witnesses with the release of Drupal Security Advisories.

  • Speaking of the included contrib modules, here are some of the criteria used to select modules for inclusion.
  • Does the module fulfill a part of the CIA Information Security Triad?
  • Does the module address an OWASP Top 10 Security Risk?
  • Previous Guardr team/community experience with the module?
  • Is the additional module worth the attack surface increase?
  • Availability or is the community working towards a stable release?
     

Guardr for Drupal 8

While the Drupal 7 version of Guardr has been available for 5 years, I am pleased to announce the first alpha release of Guardr for Drupal 8: Guardr 8.x-1.0-alpha1. Drupal 8 Core has a number of built-in security enhancements that help websites and applications maintain security and availability. Guardr builds on top of Drupal 8’s foundation by adding Core hardening configurations via Guardr Core Included Drupal 8 contrib modules extend site security through improved login security, session management, system auditing and logging, and other features.

Below are the items the Guardr community sees as next steps to help drive Guardr for Drupal 8 to a stable release:

  • Continue working through the D7 to D8 module crosswalk plan
  • Evaluate additional Drupal Core hardening and implement in Guardr Core
  • Feature: Ability to add certain Guardr recommendations to existing Drupal 8 installs
  • Update documentation for Guardr 8
    • Related project pages
    • Add new Guardr 8 specific documentation

I had the pleasure of presenting Raising The Security Bar with Guardr at DrupalCon Baltimore. There are more details on the project and great Q&A at the end of the session.


 

Get involved

We would love your help! If you are interested in contributing to Guardr, we have needs which include writing documentation, supporting Guardr users, testing patches and updates, and developing new features. Getting involved in the issue queue is a great place to start. If you want to chat about how to help, feel free to ask questions in IRC at “#drupal-guardr” or Tweet us at @guardrproject.

Additional Resources
10 Great Security Podcasts, Blogs, & Resources | Blog
Evaluating the Security of Drupal Contrib Modules | Blog
Best Practices for Drupal Site Security | Blog

Mark Shropshire

Meet team member, Mark Shropshire

Mark brings 20 years of experience leading technical teams to his role as Mediacurrent’s Open Source Security Lead. He is a leader in tech community organizing, blogging, podcasting, and public...

Learn more about Mark >