security

The goals of my project are:

1. to develop additional reviews in the Secure Code Review module
2. to improve the reporting of results from the module
3. to provide Drush commands to invoke the reviews

The secure code review module was a great success from SOC2010. It would be great to enhance it further for 2011.

Possible ideas:

• Extending the rules it uses to find vulnerabilities so it can catch all of the contributed module vulnerabilities announced in 2010, 2009, etc. (this isn't fully practical, but getting just 50% or so would be a great improvement!)

I am implementing a site that will contain some information that should be secure. I looked up various posts and modules about security and it seems that by default all passwords are sent in clear text across the Internet in D6.

I found little to no information on securing D7 logins or pages.

Is there a simple solution to force the site into https?

Thanks for any advice,

Matt

I posted the following in the main Drupal.org forums, and someone suggested it might be better placed in this group:

<

blockquote>I just saw the security advisory regarding OG Forum, and was distressed to see that there was no fix for it - the only advice was to disable the module.

First, if you haven't already you should sign up for Drupalcon Chicago.

This year we've got a relatively small number of sessions at Drupalcon Chicago about security.

• Drupal Security for Coders - this is a presentation on the most common attack scenarios and how to code/configure to protect against them

Hey there,

With about 5 or 6 Drupal site installs under our belts we had a mySql persistent connection issue which brought down the mySql server and a few Drupal and non drupal sites with it.

Secure Login module was in need of a maintainer, so I decided to take it on.

What I like about Secure Login is that it's a small, simple module that makes it easy to enforce secure (SSL) logins on a Drupal site.

I've already committed a Drupal 7 version which could use testing and feedback.

Hello,

I would love some feedback / discussion regarding security and the submission of online forms using sensitive data. I work for a small college and our website is hosting in a shared environment. There has been discussion about making the college application form, application for residence form and a few others available online. What tips / concerns can you provide to securely get the information from the user in an encrypted fashion?

My primary concerns are storage of private information on a shared server and emailing of private information in an unencrypted fashion.

Hey all,

I am wondering what kind of hacking a person could do on a multisite environment if php filter is enabled? Can they access other sites?

If so, isn't this more than a "php filter" issue and also any cck field (since you can do php stuff in their also) is also a hazard?

If there are issues, how do you host many sites on the same aegir server for different users (who want full access to drupal) if they can potentially hack into other sites?

Sorry, thats a load... just thought about it.

-Peter

Hi,

actually I don't know the differences between AJAX, JavaScript and jQuery. But before answering here, maybe a wiki page is missing and could be mentioned in the group description?

In many groups such info lacks in the description. Yes I'm familiar with groups, but from Yahoo and the Dutch http://Clubs.nl (they WERE the first & the best, Yahoo bought the software and made a cut down version for its groups). So I'm not that happy with the features and design of Drupal groups, but that's another issue...