This articles features links and information from the Peerless design Security presentation from various Drupal Camps in the Eastern US. Audio from New Jersey's impromptu presentation can be found on the Drupal Camp NJ site for 2014. The PDF version contains all info removed to accommodate time constraints. The entire presentation is available in a white paper available here.
Presentation Files
Baltimore Drupal Camp 2014 Presentation
Drupaldelphia Sept 2014 Presentation
For a copy of the presentation download the pdf or please contact me for other formats.
| OWASP | NIST | Drupal |
|---|---|---|
|
NIST Cybersecurity Framework Website |
Drupal & OWASP
| Vulnerability | Drupal Modules |
|---|---|
| A1 - Injection | Drupal Core, Security Review |
| A2 - Broken Authentication and Session Management | Automated Logout, Session Limit, Username Enumeration Prevention, Secure Login, Password Policy, Login Security |
| A3 – Cross-Site Scripting (XSS): | Input Filters(core), Security Kit, Content Security Policy, HTML Purifier |
| A4 – Insecure Direct Object References | Drupal's rich permissions and access control system prevent unauthorized requests. |
| A5 – Security Misconfiguration: | Security Review, Automated Logout, Session Limit, Username Enumeration Prevention Secure Login, Password Policy Login Security |
| A6 - Sensitive Data Exposure | Automated Logout, Session Limit, Username Enumeration Prevention Secure Login, Password Policy, Login Security |
| A7 – Missing Function Level Access Control | Drupal has an easy to use and manage, very granular user management system making it easy for site managers to set up and maintain |
| A8 - Cross-Site Request Forgery (CSRF) | Security Kit, Content Security Policy, HTML Purifier |
| A9 - Using Components with Known Vulnerabilities | Be sure to update your libraries. Server and Drupal |
| A10 – Unvalidated Redirects and Forwards | Internal page redirects cannot be used to circumvent Drupal's integrated menu and access control system. |