Tips for improving Drupal security

 


I had a chance to check out the Talking Drupal: Drupal security podcast. These were my key takeaways.


Top 3 tips

Its stuff we already know about but don't do. Lets educate and remind ourselves and others.

  1. Do not write down passwords (especially on sticky notes). Use a Password Manager e.g. LastPass, Bitwarden, Passbolt
  2. Patch your modules. Security patches are released every 3rd Tuesday of the month by the Drupal Security team. Sign up to security announcements. You can use RSS feeds to bring updates to your slack, teams, etc. There is also a Discord site.
  3. Use tools that make your code better. e.g. CI to make it more readable (coding styles, comments). Code reviews. Write the least amount of code as possible. No code is best ie only using Core and Contrib modules. (IMO, as a developer this is impossible 😂) 

 
Contrib modules to help improve Drupal security

 
Have a Security plan

Plan for the worst. What will you do “WHEN” you get hacked? Also provide a way for users to report potential security issues to you.
 

Finding vulnerabilities

Drupal Security team is mostly reactive. They rely on the community or their own experiences to find vulnerabilities, then respond to them and patch as required.

They often patch a core issue and find contrib modules that have the same vulnerability. They identify the code pattern, then use regular expression to search across local repo’s (top contrib modules are available on a hard-drive) and/or Gitlab.
 

Report potential vulnerabilities

Do not post to public issue queue or forums. Post to the security issue queue which is private.
 

Dependabot does not work with PHP

My experience with Github Depenabot is that its good at finding vulnerable npm packages but not so much PHP. While listening I did some research on tools for scanning PHP apps using Github Actions. I came across a few which I will try when I get some time:

Patches

Things not covered but may be helpful to readers.
  • Check patches carefully before applying them. It may be a source of a potential vulnerability.
  • Record the issue ID in your composer so you can review the issue from time to time to use the approved patch or patched version.
  • Do not use a patch generated by a merge/pull request (PR) as it can change at any time (code poising attack). Download it to your repo and patch.

The Talk

Have a listen/watch to find more goodies



Comments

Post a Comment

Popular posts from this blog

🚀 Level Up Your Code with AI: My Vibe Coding Workflow

Image
  Been feeling like you're spending more time wrestling with code than actually building cool stuff? You're not alone! I've been on a deep dive into how Artificial Intelligence can help us software developers, and let me tell you, it's a game changer. Think of it less like robots stealing our jobs and more like having a super helpful (if slightly forgetful) assistant who can seriously boost your coding power. After weeks of experimenting, I've landed on a workflow that blends the magic of AI with the essential skills of a human developer. I started with AI app generators, got hooked by the magic, but quickly hit their limitations when I needed production-ready code in my own tech stack. It's not about letting the AI take over completely, but about smart collaboration. Ready to see how you can code smarter, not harder? Here's a breakdown of my key takeaways and how I'm integrating AI into my daily coding life: 🎯 The Power of the Prompt (It's a Re...
Read more

Expandable Search Box with Bootstrap 5

I've always liked the expandable search box. Its minimal and provides a nice animation when hovered over.  In the past I've come across javascript implementations but had not been able to use them.  Recently, I came across a pure CSS implementation that I ported across to Bootstrap.  Inspired by https://codepen.io/studiocaro/pen/ZbKodG this version works with Bootstrap 5. You start with the boiler plate code for nav from bootstrap.  Next I wrapped the form in a div with an id="form". I've also changed to a dark background by switching navbar-light bg-light to navbar-dark bg-dark for better contrast. If you want the search icon then add "entypo-search" class to the search form. The CSS responsible for the animation are: #form {   ...   -webkit-transition: width .55s ease;   -moz-transition: width .55s ease;   -ms-transition: width .55s ease;   -o-transition: width .55s ease;   transition: width .55s ease; } Video Live See the Pen ...
Read more

Sāmoan language support for the Quasar framework

Exciting news for Sāmoan language app development!  And just in time to celebrate Sāmoa's 60 years of independence!! The Sāmoan language is now included as a language pack for the Quasar framework as of version 2.7.2 . It means dozens of Vue Components can now support Sāmoan. To switch it on, follow the instructions in the docs and use the "sm" code. This is a biggy for me as it's the only Sāmoan language pack I know of for any framework I've worked with. Much appreciation to the Quasar team for the quick turn around. Here is an example of using the close translation in your own components     {{ $q.lang.label.close }} And some examples of translated components in action: WYSIWYG Editor (hover over items to see translations) See the Pen Editor (WYSIWYG): Kitchen sink in Sāmoan - Quasar v2.7.3 by Ainsof So'o ( @ainsofs ) on CodePen . Date Picker (try clicking the month names) See the Pen QDate: Basic in Sāmoan - Quasar v2.7.3 by Ai...
Read more