Cracking Drupal

pwolanin

Security is paramount for almost any web application. Do you know which vulnerabilities are most common across the web and how that compares to the most frequent vulnerabilities in Drupal and contributed modules and Drupal core?

I will use the OWASP top 10 (as updated in 2017) as a resource and framework to take a look at security best practices to keep your site safe and take the perspective of an attacker to understand exploits. I will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As a member of the Drupal security team I have seen a lot of code and what can go wrong with it.

The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.

Learning Objectives

I will cover:

  • XSS, CSRF, Access Bypass, SQL injection, and DoS explained
  • Secure configuration (web server, file permissions, etc.)
  • Tools and Modules to improve security on your site

Target Audience

This session is relevant to developers for all PHP web applications, but code examples are mostly from Drupal 8.x.

Prerequisites

Basic familiarity with how browsers request web pages and interpret URLs as well as an interest in security concepts

Track

Development & Coding

Tags

back-end development
front-end development
php
security

Experience Level

Intermediate

If no timezone is set on your profile, time is displayed in UTC.
Update your profile's timezone