Continuous Drupal Security and Practical Paranoia. .

Compared with other content management systems and development frameworks, Drupal provides us a fundamentally strong application security foundation based on rigorous coding standards and review and exceptional community oversight and collaboration. Nevertheless, as the past year's range of serious security vulnerabilities has  demonstrated, it's our responsibility more than ever to be prepared and plan for invasion, survival, and recovery through practical paranoia. This session will examine three major components of an effective Drupal-based security applicaton lifecyle model using a real-life Drupal community collaboration and commerce site as a case study. First, we will conduct a comprehensive architectrual risk analysis tailored for the specific application and covering the entire front- and back-end development hosting stack, including HTTP and data services, as well as authentication, authorization, and identity management. Second, we use the output of the first component to design and implement a strategic continuous security testing and assessment process customized for the significant risks of the application, and including peer-based and automated code review, static and code dynamic analysis, and vulnerability identification using tools such as Jenkins, Gerrit, Drupal Security Review, PHP Codesniffer, and OWASP Zed. Third, we will implement an effective, risk-based application-centric continous security monitoring system focused on timely alerts and including tools such as Nagios, OSSIM, and ELK.