Defense in Depth: Lessons learned securing 100,000 Drupal Sites

Cellar Door
David Strauss

Heartbleed, Shell Shock, POODLE, Drupalgeddon and Ghost.  How is it possible to secure my website in the face of the hackzor onslaught?

Every bit of software in your stack composes compromisable surface area, so you have to think about security from the OS to the JS, and beyond.  When securing your website, you need to think breadth as well as depth; there’s no use in having 3 deadbolts a pit bull and a portcullis on your front door while leaving your porch door unlocked.  

We’ll start at the 10,000’ level, reviewing the risks and drivers of website security, then zoom in for a birds-eye view of security best practices, and finally deep-dive on a few of the most effective attack mitigation strategies.

Topics we will cover:

  • What security means for your business: compliance and risk management

  • The security triad: Confidentiality, Integrity, and Availability

  • OWASP Top 10

  • Evaluating hosting options based on security

  • Securing your operating system

  • Configuring Nginx and Apache for security

  • Understanding ‘contrib’ module security

  • Configuring Drupal for Security

  • How to address DOS with a CDN (a battle of 3 letter acronyms)

  • Data encryption

  • Key Management (Don’t tape your key to the front door)

  • PII - What is it and why does it matter?

  • Securing your users: Password security and best practices

  • Real world scenarios

This will be the follow up to the session at Drupalcon Los Angeles:

Session Track


Experience Level


Drupal Version

When & Where

Wednesday, 23 September, 2015 - 14:15 to 15:15
113: Amazee Labs