Covering Drupal Basics

Security Code Review

The areas of highest risk in any web application are those where users interface with the site. Forms, AJAX actions...pretty much anytime a user generates a request to the server, there's a potential vulnerability.

Start a code review with the following items:

1. Forms

2. AJAX Requests

3. "hook_menu" items

4. Other API endpoint (Services, RESTFul, etc.)

Make sure these items follow Drupal best practices, then describe the access logic (if applicable) for each item. Hold a meeting where you walk through each piece of access logic with the client, starting with the items you feel are most sensitive or may not be functioning correctly.

TODO: Automated testing tools make sure access logic stays the same?

OWASP Audits

OWASP (Open Web Application Security Project) provides tools, resources, and guidelines on web application security. If someone is performing an "OWASP Audit" on your site, they are probably trying to verify that it meets the Application Security Verification Standard (ASVS).

TODO: summary of ASVS https://docs.google.com/document/d/1dUtjOASFAWoPBEKfXd5YHF_OE-k-DsctUiq0Qcz_oZw/edit#heading=h.dt9sj5uc8ph6

• ASVS Levels 1-3 (a higher level corresponds with a higher depth of security analysis, intended for an application handling more sensitive data)

• Most of our clients are at level 2 or below

OWASP + Drupal

Summary of top 10 vulnerabilities and how they impact Drupal

OWASP Audit Tools + Basic Testing

Summary of how to do a basic OWASP audit

OWASP Testing guide

ZAP application (produced equivalent results to a professional audit with Netsparker) 

Resources 

• A Security Checklist for Drupal 8 Sites with Private Data (Lullabot)

Review History