Beyond Module Security Updates: Creating a Holistic Security Strategy
schnippy
This past year, Drupal site maintainers raced to patch their sites to address back-to-back critical security issues in Drupal 7/8, with exploits being detected in the wild within hours after the patches were released. These updates, while not out of the ordinary for open source software, occurred in an an increasingly complex security environment that is seeing a greater range of hostile actors executing more sophisticated, targeted, and damaging website attacks.
As a site owner, how worried should I be about these threats? What can I do besides keeping my modules patched? Are there other best practices for protecting my site from common attacks? How can I approach web security more holistically?
In this session, we will introduce a framework for understanding Drupal website security and how to assess possible solutions. This will include:
- Understanding the nature of the current threat;
- Discussion of common Drupal site vulnerabilities or vectors;
- Walking through the different levels at which we need to think about Drupal security, ex.
- Security protocols and organizational culture,
- Filtering and sanitizing user inputs,
- Reducing vulnerabilities in custom code,
- Monitoring and updating dependencies (ex. NodeJS and Composer),
- Server hardening and monitoring,
- Balancing security with user needs and behaviors.
- Surveying the different Drupal modules, third-party tools, and other techniques that can protect your sites at each of these levels.
The goal of the presentation is to give you a solid understanding of the different layers at which your website may be vulnerable and what you can do to remedy them. The general approach is suitable for site administrators at any level and we will be assessing each of the recommendations (for both Drupal 7.x and 8.x) for their effectiveness, user balance, and ease of implementation.