Security

Events happening in the community are now at Drupal community events on www.drupal.org.

Discussion security best practices in general. This is NOT a place to discuss vulnerabilities in released versions of specific public modules nor Drupal core. Please only ask questions before releasing a module or phrase them generally. If you find a security vulnerability in publicly available code the proper thing to do is report it to the Security Team.

On twitter see @drupalsecurity.

Security service provider

Posted by deepanjali on September 12, 2015 at 4:05am

Hi, I am looking for recommendations for good, reliable service providers who can keep our website up to date in terms of security and deal with malware, attacks, etc. We do not have tech people on our team so they would need to take care of everything. We use a dedicated server with Bluehost and our site is currently deactivated due to malware.

Read more
2 comments Categories: , ,

What security-related modules should exist but don't?

Posted by coltrane on September 9, 2015 at 12:55am

Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?

A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.

Read more

How does Security Team decide the level of a threat?

Posted by gettysburger on September 8, 2015 at 5:10pm

I am interested in learning about Drupal Security and appreciate the efforts of everyone on the Security Team. I am wondering what the best venue is to gain insight into how the team makes their decisions about what specific things trigger one level or another.

I am working on gaining an understanding of the NIST criteria, but was wondering if there is another venue I should be looking at for insight into the Security Team decisions.

Thanks!

Read more

Site scans and audits

Posted by cjordan on August 13, 2015 at 10:51pm

Hello group members,
I am looking for a way to scan my drupal sites for security issues. I found this site online https://hackertarget.com/drupal-security-scan/. Thanks for your comments in advance.

Read more
3 comments Categories:

Announce that there are no announcements

Posted by bburg on July 29, 2015 at 8:08pm

Every Wednesday, at 4:00 pm Eastern, I have a reminder set for myself to check for the weekly Drupal security announcements. A number of my clients have requirements that basically require applying security updates as soon as possible (PCI/FISMA).

What is awkward around this time is when there are no announcements. I find myself wondering if there is just a delay in the email delivery (which I think is known to happen), or if there are indeed no security updates that week.

Read more

drupalscout.com replacement?

Posted by rooby on July 19, 2015 at 12:39pm

drupalscout.com was a good source of Drupal security information but is now gone and redirects to the Acquia home page.

Does anyone know if the information previously available on drupalscout.com will end up being available somewhere else or is it just gone now?

Read more

Security and privacy day at NYC Camp at the UN

Posted by coltrane on July 9, 2015 at 7:01pm

As part of the upcoming Drupalcamp at the UN, NYC CAMP, we're having a full day of Drupal and security!

Friday, July 17th, 9:00 AM to 5:00 PM @ United Nations Headquarters New York, NY 10017

Read more

Seeking feedback on the security team disclosure policy.

Posted by mlhess on June 29, 2015 at 6:28pm

The security working group is proposing this policy around disclosure of private information. We are seeking community feedback.

In the past our policy has been a tad thin.

"State that you are willing to keep the confidential issues of the team confidential"

This document aims to add clarity to that sentence and some example scenarios to guide team members decision making.

We are seeking public feedback before making this a policy.

The policy is attached as a PDF.

Please provide feedback by commenting on the post

Read more

Updating "criticality" levels to match scores

Posted by greggles on June 17, 2015 at 9:00pm

A while ago, after a lot of great research and work (mostly by Michael Hess), we rolled out a new style of scoring individual security advisories. The system is based on NIST's scoring at https://t.co/Pvhzn9CHP2

For example, a recent issue had a "score" of
7/25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

The score and coding is meant to explain the risk, but it's rather cryptic.

To try to be more "human friendly" we also still say things like "Highly Critical" and "Less Critical" and "Not Critical".

Read more

Security Crowdsourcing: Bugcrowd, Hackerone, Synack, CrowdCurity

Posted by greggles on May 20, 2015 at 8:51pm

I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.

What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?

Read more
Categories: ,

Drupal and FISMA Compliance BoF at Drupalcon LA

Posted by owen barton on May 12, 2015 at 6:41pm
Start:
2015年05月14日 14:15 - 15:15 America/Los_Angeles
Organizers:
Event type:
DrupalCon

This session is for sharing of best practices and tools with respect to the FISMA federal compliance framework, as well as discussing ways to automate compliance checking of Drupal (and it's environment) using FISMA certified open source tools like OpenSCAP.

Read more

Drupal Security BOF at Drupalcon Los Angeles

Posted by greggles on May 7, 2015 at 2:57pm

Hello,

There will be a birds-of-a-feather (BOF) gathering at Drupalcon Los Angeles on Tuesday, May 12th at lunchtime (11:45am-1:00pm) in room 410. There's no specific agenda, we'll talk about things that people in the room want to talk about. It should be fine to get lunch first and bring it to the room (if someone says no, surely it will be possible to engage in a little social engineering to convince them it's OK!).

It seems useful to talk about just about anything. Some things that I can imagine we might cover:

Read more

token/hash based account-less access control

Posted by jitesh doshi on May 7, 2015 at 12:07am

I have a need where site visitors should be able to create and then later update content without ever creating an account on my Drupal site.

Read more
Anonymous's picture

Fine-grained MySQL tables privileges

Posted by Anonymous on April 14, 2015 at 11:14am

Regarding Drupal site security, I am really surprised to see that MySQL settings do not keep an important place in Securing your site discussion.

Yet a very simple MySQL policy would have prevented Drupageddon to your site.

According to INSTALL.mysql.txt, MySQL user used by Drupal, must have the following minimal privileges on Drupal database:

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES.

Read more
6 comments1 attachment Categories: ,

List of service providers who keep Drupal sites up to date

Posted by greggles on April 12, 2015 at 8:08pm
Last updated by dsnopek on Fri, 2015年10月09日 16:02

Keeping a site up to date with new releases is one of the most important things for keeping a site secure. Let's document the current landscape of hosting and service providers and what services they offer to keep your site secure (in alphabetical order):

Company/Service Core? Contrib Time for upgrade Cost Requires site-owner involvement
Read more

Questions about module programming

Posted by EdBiancarelli on March 16, 2015 at 3:40pm

First, sorry if this isn't the right place and way to ask.

I'm developing a new module and have 2 questions about security.

1 - My module has a Config page where only admin (or another user with same rights) has access. Like /admin/config/system/site-information.
In this config, I have some fields that will be showed later in HTML output.
Question: Do I must filter this content against XML injection (filter_xss or filter_xss_admin)? or I can trust this user?

Read more

Next release of paranoia

Posted by greggles on March 9, 2015 at 10:40pm

I'm working on a new release of paranoia. In addition to blocking more permissions I'd like to include a feature that blocks all the import boxes that run php from the user interface (e.g. the "Import Views" box).

The issue to do that needs review and is at https://www.drupal.org/node/2313945

Once that hook is in we would need to add in a bunch more form IDs to block.

Read more

Write up on Drupageddon hack (attempt) on my site

Posted by mykevandyke on November 30, 2014 at 5:03pm

On October 21, 2014, an attempt to compromise my personal web site was partially successful. The attack was able to delete log entries for October 21, 2014, and was able to add a non-existent user to the administrator role on the web site. The attack apparently failed to actually create the user, however.

Read more
1 attachment Categories:

Basic, Current Best Practice for adding SSL

Posted by sonicthoughts on November 25, 2014 at 5:05pm

I have seen many detailed discussions for security on drupal.org and elsewhere. If I've learned anything watching the 2014 onslaught of cyber attacks it is this: "make it simple or it won't be used." I'm a system builder, trying to add SSL to a site (I've done this in the past.) and the challenge I face is a simple, current, best practice approach for SSL that provides decent performance (ie. allows proxy traffic, opcache, etc.)

Read more

Files to monitor

Posted by derrotebaron on November 4, 2014 at 5:58pm

Are there any static files in Drupal that could be monitored for unauthorized access? In light of the latest vulnerability/exploit, I was wondering if perhaps a HIDS, or some type of file integrity solution could be used to monitor specific files related to Drupal that would indicate a compromise.

Thx

Read more
Categories:
Subscribe with RSS Syndicate content

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /