Cracking Drupal

Note: This, and other lab sessions, will not be recorded.

Security is paramount for almost any web application. Do you know which vulnerabilities are most common across the web and how that compares to the most frequent vulnerabilities in Drupal and contributed modules and Drupal core?

We will use the OWASP top 10 (as updated in 2017) as a resource and framework to take a look at security best practices to keep your site safe and take the perspective of an attacker to understand how they exploit things. We will show you common mistakes that Drupal Developers make when they write code and how they can be avoided. As members of the Drupal security team members we have seen a lot of code and what can go wrong with it. We will cover:

• XSS, CSRF, Access Bypass, SQL injection, and DoS explained
• Secure configuration (web server, file permissions, etc.)
• Tools and Modules to improve security on your site

This session is relevant to all PHP web applications, but code examples are mostly from Drupal 7.x and 8.x. The session will also touch on some security improvements in Drupal 8 such as using auto-escaping in the Twig template engine (XSS prevention) and built-in CSRF token support in the routing system.

Part of the goal of this session is to educate the developer community (both front and back end) about these vulnerabilities and how they operate so that we have fewer of them in Drupal contributed modules and core in the future