Drupal Security Audits - DEPRECATED
DEPRECATED
The information below is either outdated, or no longer considered best practice at Kalamuna.
This was deprecated because it was not completed. If we finish drafting the page it can be reinstated.
Covering Drupal Basics
Security Code Review
The areas of highest risk in any web application are those where users interface with the site. Forms, AJAX actions...pretty much anytime a user generates a request to the server, there's a potential vulnerability.
Start a code review with the following items:
Forms
AJAX Requests
"hook_menu" items
Other API endpoint (Services, RESTFul, etc.)
Make sure these items follow Drupal best practices, then describe the access logic (if applicable) for each item. Hold a meeting where you walk through each piece of access logic with the client, starting with the items you feel are most sensitive or may not be functioning correctly.
TODO: Automated testing tools make sure access logic stays the same?
OWASP Audits
OWASP (Open Web Application Security Project) provides tools, resources, and guidelines on web application security. If someone is performing an "OWASP Audit" on your site, they are probably trying to verify that it meets the Application Security Verification Standard (ASVS).
TODO: summary of ASVSÂ https://docs.google.com/document/d/1dUtjOASFAWoPBEKfXd5YHF_OE-k-DsctUiq0Qcz_oZw/edit#heading=h.dt9sj5uc8ph6
ASVS Levels 1-3 (a higher level corresponds with a higher depth of security analysis, intended for an application handling more sensitive data)
Most of our clients are at level 2 or below
OWASP + Drupal
Summary of top 10 vulnerabilities and how they impact Drupal
OWASP Audit Tools + Basic Testing
Summary of how to do a basic OWASP audit
OWASP Testing guide
ZAP application (produced equivalent results to a professional audit with Netsparker)Â
ResourcesÂ
Review History
Who | When | Status |
---|---|---|
 |  |  |
Bob | 20230531 | Deprecated |