Are there any best practices or approaches to reviewing individual modules or themes?
I do feel that modules posted to Drupal.org are more secure than those posted elsewhere, simply because the framework allows for an easy way for us to receive updates when there are security issues. However, other than people posting security patches, what processes are being used to scan contributed code for problems?
There are a number of approaches for general PHP development which would certainly apply:
http://www.addedbytes.com/writing-secure-php/
http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/...
http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
http://www.brightlemon.com/blog/writing-secure-php-code-0
But what are the elements that are specific to the Drupal framework that should be considered. Other than:
http://drupal.org/writing-secure-code
http://www.sinati.com/blog/2010/drupal/drupal-security-configuration-bes...
http://www.imminentweb.com/technologies/harden-your-drupal-websites
Comments
none that I know of
There aren't any that I know of. We have a process we're refining as part of our security review service but I don't think there is anything publicly documented yet.
I assume you've read my book, Cracking Drupal and the blog posts there.
knaddison blog | Morris Animal Foundation