Best Practices for Module/Theme level Security Reviews

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by mgifford on September 28, 2010 at 4:06pm

Are there any best practices or approaches to reviewing individual modules or themes?

I do feel that modules posted to Drupal.org are more secure than those posted elsewhere, simply because the framework allows for an easy way for us to receive updates when there are security issues. However, other than people posting security patches, what processes are being used to scan contributed code for problems?

There are a number of approaches for general PHP development which would certainly apply:
http://www.addedbytes.com/writing-secure-php/
http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/...
http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
http://www.brightlemon.com/blog/writing-secure-php-code-0

But what are the elements that are specific to the Drupal framework that should be considered. Other than:
http://drupal.org/writing-secure-code
http://www.sinati.com/blog/2010/drupal/drupal-security-configuration-bes...
http://www.imminentweb.com/technologies/harden-your-drupal-websites

Comments

none that I know of

Posted by greggles on October 8, 2010 at 5:57pm

There aren't any that I know of. We have a process we're refining as part of our security review service but I don't think there is anything publicly documented yet.

I assume you've read my book, Cracking Drupal and the blog posts there.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /