Security

Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?

A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.

Hello group members,
I am looking for a way to scan my drupal sites for security issues. I found this site online https://hackertarget.com/drupal-security-scan/. Thanks for your comments in advance.

drupalscout.com was a good source of Drupal security information but is now gone and redirects to the Acquia home page.

Does anyone know if the information previously available on drupalscout.com will end up being available somewhere else or is it just gone now?

The security working group is proposing this policy around disclosure of private information. We are seeking community feedback.

In the past our policy has been a tad thin.

“State that you are willing to keep the confidential issues of the team confidential”

This document aims to add clarity to that sentence and some example scenarios to guide team members decision making.

We are seeking public feedback before making this a policy.

The policy is attached as a PDF.

Please provide feedback by commenting on the post

I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.

What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?

Hello,

There will be a birds-of-a-feather (BOF) gathering at Drupalcon Los Angeles on Tuesday, May 12th at lunchtime (11:45am-1:00pm) in room 410. There's no specific agenda, we'll talk about things that people in the room want to talk about. It should be fine to get lunch first and bring it to the room (if someone says no, surely it will be possible to engage in a little social engineering to convince them it's OK!).

It seems useful to talk about just about anything. Some things that I can imagine we might cover:

Regarding Drupal site security, I am really surprised to see that MySQL settings do not keep an important place in Securing your site discussion.

Yet a very simple MySQL policy would have prevented Drupageddon to your site.

According to INSTALL.mysql.txt, MySQL user used by Drupal, must have the following minimal privileges on Drupal database:

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES.

First, sorry if this isn't the right place and way to ask.

I'm developing a new module and have 2 questions about security.

1 - My module has a Config page where only admin (or another user with same rights) has access. Like /admin/config/system/site-information.
In this config, I have some fields that will be showed later in HTML output.
Question: Do I must filter this content against XML injection (filter_xss or filter_xss_admin)? or I can trust this user?

On October 21, 2014, an attempt to compromise my personal web site was partially successful. The attack was able to delete log entries for October 21, 2014, and was able to add a non-existent user to the administrator role on the web site. The attack apparently failed to actually create the user, however.