reviewed 230531 Draft

Basic Practices

The Drupal API embeds many security best practices, but to make sure we benefit from the community's hard work, we need to make sure we utilize it. All Kalamuna developers should know the basic security guidelines described on Drupal.org and apply them in their development efforts. Project managers and personnel conducting code reviews should remain particularly vigilant that these standards are being applied. Using the Security Review Module is highly recommended to help enforce standards.

Reinforcing Drupal Security

User Authentication

Default Drupal password policy is somewhat dated and should be reinforced with contributed modules.

• Use Password Policy to force users to create modern, strong passwords

• Consider using an available two-factor authentication solution

Process

• Code review should be part of every project process in addition to functional testing of features with security implications

• Create a point of contact for people to report potential security issues on sensitive projects

• Role/permission audits are a must before launching new projects and should be conducted regularly for sensitive projects

Security Breach Response

Project managers should have a contingency plan in the case of a breach:

• Who do you need to contact on your client's side?

• Legal responsibilities/ramifications?

• What communications will you send to users?

In the event of a breach, make sure that you keep a full backup/image from the breach to analyze.

More Resources

• Drupal PCI Compliance Whitepaper

• Vuln: XSS Vulnerability Checker

• Security Review Module

Review History