Drupal Security
- Alec Reynolds (Unlicensed)
- Bob McDonald
- RobLoach
reviewed 230531 Draft
Basic Practices
The Drupal API embeds many security best practices, but to make sure we benefit from the community's hard work, we need to make sure we utilize it. All Kalamuna developers should know the basic security guidelines described on Drupal.org and apply them in their development efforts. Project managers and personnel conducting code reviews should remain particularly vigilant that these standards are being applied. Using the Security Review Module is highly recommended to help enforce standards.
Reinforcing Drupal Security
User Authentication
Default Drupal password policy is somewhat dated and should be reinforced with contributed modules.
Use Password Policy to force users to create modern, strong passwords
Consider using an available two-factor authentication solution
Process
Code review should be part of every project process in addition to functional testing of features with security implications
Create a point of contact for people to report potential security issues on sensitive projects
Role/permission audits are a must before launching new projects and should be conducted regularly for sensitive projects
Security Breach Response
Project managers should have a contingency plan in the case of a breach:
Who do you need to contact on your client's side?
Legal responsibilities/ramifications?
What communications will you send to users?
In the event of a breach, make sure that you keep a full backup/image from the breach to analyze.
More Resources
Review History
Who | When | Status |
|---|---|---|
 |  |  |
Bob | 20230531 | Current, there are some old links, and it could be fleshed out, but I didn’t find any inaccuracies. |