The world of online web security is like an arms race, where the black hat hackers are constantly cataloging and looking for novel or even mundane exploits, while white hat defense specialists are implementing organizational processes that propagate best practices.

It is just simply beyond an individual website owner or website programmers’ resources to keep up with the entire arms race. But by adopting a platform like Drupal, you inherit a defense stance and process that can get you a leg up on the overall security situation.

Open Source Security, Out of the Garage and onto Prime Time

For many years, there has been a debate about whether open source projects can be secure. An early contribution to the debate by IBM in 2004 was a project and report where they analyzed security for the Linux operating system and concluded that it could but that was just the beginning. By 2009 Barack Obama’s relatively new administration was able to relaunch The Whitehouse Website on Drupal, which was largely seen as a nod to the open source community.

What You Get For Free

There are many aspects of the Drupal CMS that make it an attractive platform and Drupal’s security features are among those. Similar to the choices you are making when comparing different platforms for functionality and extensibility, what you get for free is a major factor in your decision making.

So what do you get for free when you have Drupal?

You get the complete history of security reviews and code upgrades that have occurred through Drupal’s history. Drupal programmers share best practices publicly. ‘Writing Secure Code’ is a section in the Drupal developer’s handbook that was first posted ten years ago. Pages in this section have been updated and maintained ever since and have been used by core and contrib module developers as part of the process of getting modules and core patches shared on the main drupal website.

You get a platform based on best practices that have emerged from the crucible of prime time exposure with some of the most targeted sites on the planet, like The Whitehouse, the state revenue office for Victoria Australia, the City of London, UK and many many other sites that require high security.

Drupal Security is also based on best practices informed by the wider web development community. Take for example, OWASP a world-wide chaptered organization that publishes a yearly Top Ten of what they call a broad consensus about what the most critical web application security flaws are.

What Your Developers Get For Free

Beyond what you get for free, you also set yourself up with infrastructure that, even for complex, customized websites, makes things easier to maintain.

You also get a pre-built set of tools that can be used to improve and maintain the security of your site tools like the built-in module updater, and for developers the drush maintenance tool.

One option available to anyone who registers for an account on ‘Drupal Dot Org’ is to subscribe to the security advisories, but do you know that the majority of advisories are not relevant to most sites. The many advisories are not a sign of security weakness so much as a sign of an active community doing the work it needs to tighten the system’s defenses. That said, subscribing to the updates can be a good way to get a feel for the frequency and mitigating factors for issues discovered by the community and security team.


Life After Armageddon

No blog about Drupal security would be complete without mention of Drupalgeddon. This is the tongue-in-cheek name attached to a specific security exploit that rapidly criss-crossed the web in 2014.

The problem with this particular exploit was that it was very easy (in relative terms) to build an exploit for it. Hackers with databases of which sites were running Drupal were able to rapidly apply the exploit to many sites ‘in the wild’ and quickly gain administrator access to the sites. Within hours the Security Advisory went live and many tens of thousands of sites were hacked.

Luckily, the speed with which hackers were able to break into the site was not largely matched by a speedy ability to actually leverage their newfound treasure trove of data. In most cases, sites were brought back from the hacked state, and life on the Drupal web carried on.

Fool Me Once, Shame On You

But not only did Drupalgeddon result in improved code and stronger defenses in the code itself, also the community changed the way it responds to potentially similar situations. Take the case of PSA-2016-001. In this case, prior warning of an important upcoming fix was published first, which meant that site owners and developers were ready when the fix came and could apply it to their sites quickly, or take other mitigating steps until they could apply the appropriate fixes.

This warning was given for an exploit that affected only between 1,000 and 10,000 sites. If an exploit similar to Drupalgeddon was to occur again, the Drupal Security apparatus would now be in a position to keep sites safe by giving prior warning.

In A Complex World, A Little Help Goes A Long Way

Even though Drupal comes with a lot of advanced security built-in, and even a method for updating contrib modules through the interface, Drupal is often the indicated platform when website requirements are a little more complex than your average brochure site. In cases like this, it can sometimes help to have a team of professionals on the case.

If you are looking to do a security audit of your Drupal site, or just have some upgrades done, drop us a line and we will help you right away.

Want to learn more?