Tips for improving Drupal security

 


I had a chance to check out the Talking Drupal: Drupal security podcast. These were my key takeaways.


Top 3 tips

Its stuff we already know about but don't do. Lets educate and remind ourselves and others.

  1. Do not write down passwords (especially on sticky notes). Use a Password Manager e.g. LastPass, Bitwarden, Passbolt
  2. Patch your modules. Security patches are released every 3rd Tuesday of the month by the Drupal Security team. Sign up to security announcements. You can use RSS feeds to bring updates to your slack, teams, etc. There is also a Discord site.
  3. Use tools that make your code better. e.g. CI to make it more readable (coding styles, comments). Code reviews. Write the least amount of code as possible. No code is best ie only using Core and Contrib modules. (IMO, as a developer this is impossible 😂) 

 
Contrib modules to help improve Drupal security

 
Have a Security plan

Plan for the worst. What will you do “WHEN” you get hacked? Also provide a way for users to report potential security issues to you.
 

Finding vulnerabilities

Drupal Security team is mostly reactive. They rely on the community or their own experiences to find vulnerabilities, then respond to them and patch as required.

They often patch a core issue and find contrib modules that have the same vulnerability. They identify the code pattern, then use regular expression to search across local repo’s (top contrib modules are available on a hard-drive) and/or Gitlab.
 

Report potential vulnerabilities

Do not post to public issue queue or forums. Post to the security issue queue which is private.
 

Dependabot does not work with PHP

My experience with Github Depenabot is that its good at finding vulnerable npm packages but not so much PHP. While listening I did some research on tools for scanning PHP apps using Github Actions. I came across a few which I will try when I get some time:

Patches

Things not covered but may be helpful to readers.
  • Check patches carefully before applying them. It may be a source of a potential vulnerability.
  • Record the issue ID in your composer so you can review the issue from time to time to use the approved patch or patched version.
  • Do not use a patch generated by a merge/pull request (PR) as it can change at any time (code poising attack). Download it to your repo and patch.

The Talk

Have a listen/watch to find more goodies



Comments

Post a Comment

Popular posts from this blog

Insights for Software Development Workflows from the Pacific Islands

Image
Talofa! I came across an interesting video on how enterprise software development workflows might work. I found that I was using a hybrid of techniques mentioned which aligned well given that it was showing how BIG companies with teams of developers would develop software. We have a few software developers at SPREP but mostly work on our own projects . I thought I would reflect on my workflow as it is something that I've built up over time from research and collaboration with other developers. Tests, Continuous Integration/ Continuous Deployment (CI/CD) My workflow involves setting up tests from the get go and putting them into Gitlab CI pipelines . This gives me confidence that the system builds and I'm not breaking stuff I already fixed . Here is an example of how I would set up a Drupal project with style tests and a Github Action for running them. Feature building with Git branches I build features using git branches . If I have an urgent requirement or fix , I can switch ...
Read more

Government of Tonga’s first mobile app nears completion

Image
  Caption: Workshop participants Last week I was in Tonga to facilitate a training workshop for the Tonga Meteorological Services (TMS) and its partners. The workshop is part of finalising the Tonga Joint Early Warning and Response mobile app (app name to be finalised). The TMS lead initiative will help address challenges in communications on the ground and sharing of data with partners in times of natural disasters. Furthermore, the app provides real-time weather warnings using push notifications to mobile devices. Unlike traditional “weather” apps, TMS envisioned a “two-way” app that not only provides weather forecasts but enables the public to report weather and disaster related events to them. It will become the first mobile app for the Government of Tonga and will be available in Tongan and English languages on Android and iOS devices. SPREP provides ICT expertise to assist TMS Caption: Mr. Ainsof So'o reviewing the mobile app One of the Secretariat of the Pacific Regional Env...
Read more

Bot Busters: Defending Your Site Against Bots

Image
TL;DR: A climate change portal faced performance issues due to excessive bot crawling. After trying various solutions, including updating core and modules, scaling up the server, and exploring different security modules, the problem was solved using Drupal's built-in Ban module to block problematic IP addresses. The Autoban module was then implemented to automate the process, effectively improving the site's performance and resilience against bots.      🌐 Introduction In today's digital landscape, websites face numerous challenges, and one of the most persistent is the threat of bots. These automated programs can wreak havoc on your site's performance, especially when they crawl your pages excessively. Recently, we encountered this issue with one of our country climate change portals built on Drupal 7. Here's how we tackled the problem and restored the site's performance. 🔍 The Investigation Begins When we noticed performance issues on our climate change p...
Read more