Drupal Security

reviewed 230531 Draft

Basic Practices

The Drupal API embeds many security best practices, but to make sure we benefit from the community's hard work, we need to make sure we utilize it. All Kalamuna developers should know the basic security guidelines described on Drupal.org and apply them in their development efforts. Project managers and personnel conducting code reviews should remain particularly vigilant that these standards are being applied. Using the Security Review Module is highly recommended to help enforce standards.

Reinforcing Drupal Security

User Authentication

Default Drupal password policy is somewhat dated and should be reinforced with contributed modules.

Process

  • Code review should be part of every project process in addition to functional testing of features with security implications

  • Create a point of contact for people to report potential security issues on sensitive projects

  • Role/permission audits are a must before launching new projects and should be conducted regularly for sensitive projects

Security Breach Response

Project managers should have a contingency plan in the case of a breach:

  • Who do you need to contact on your client's side?

  • Legal responsibilities/ramifications?

  • What communications will you send to users?

In the event of a breach, make sure that you keep a full backup/image from the breach to analyze.

More Resources


Review History

Who

When

Status

Who

When

Status

 

 

 

Bob

20230531

Current, there are some old links, and it could be fleshed out, but I didn’t find any inaccuracies.

Related pages