We recently wrote a security best practices document for a government client. We wanted to distribute this more widely because security is a complex issue, that so many organizations seem to get wrong. In government this is often because they are working in isolation and haven't been able to keep up with the rapid changes in IT security.
We are releasing this document because we believe that most organizations simply do not have the resources necessary to put into properly setting up and maintain the security of their servers. Our hope is that we will be able to build a community of people behind a common process that will help everyone be able to secure & maintain secure Drupal sites.
Although this isn't the greatest security breach out there, I think that it is worth noting that there is a court case in Quebec where a 12 year old boy is on trial for hacking into government computer systems in 3 different jurisdictions. To some extent that's a reflection the rise of hacker culture on the Internet, but it should also be an indication of how far government security practices are currently missing the mark. If a kid can hack away at government sites for fun, what are more politically or crime motivated hackers capable of? There is far too much security theater and not enough collaboration between organizations about how to raise the lowest common denominator for security. I've blogged about this issue here:
http://openconcept.ca/blog/mgifford/when-even-our-kids-can-hack-governme...
More importantly though we've released the initial security guide here for review here (we are asking for people to submit their name & email so that we can track who is making use of this PDF):
http://openconcept.ca/drupal-security-guide
We'd like to get feedback on this document, and our hope is that this starts an open conversation about security best practices. I would like to thank the people who have contributed to this document, but generally I have decided what is or is not listed in this release. There will be errors and this document will need to be regularly updated to stay relevant.
I especially want to get feedback on this from others in the Drupal community, many of whom have more experience in the security field than I do.
Comments
Your first link seems broken
Your first link seems broken so I cannot give you a review. I am also implementing network security services for Government and Corporations and would love to share the knowledge I have gathered throughout the years.
We specialize in SELinux & GRSecurity implementations and various network and data monitoring services.
EDIT: seems d.o truncated the url through the email send by the group page. bug time?
Thank you,
likewhoa
GPG BDD75DD7
Mission Accomplish, Inc.
http://missionaccomplish.com
bending technology to fit businesses.
Updated Guide
We've updated the guide again and it can still be downloaded from http://openconcept.ca/drupal-security-guide
If there are people who would like to discuss this document, please let me know. We've presently got a GoogleDoc running for comments and suggestions.
--
OpenConcept | Twitter @mgifford | Drupal Security Guide