Improving your Drupal site's security: Cracking Drupal review

If you're a Drupal professional, you owe it to yourself and your clients to internalize the lessons and techniques inside Cracking Drupal: A Drop in the Bucket. This is true because, statistically, any insecurities in one's site are many times more likely to be introduced by one's own custom theming/modules than by Drupal core. The book mentions the audit of a high-profile Drupal site that uncovered 120 security issues, of which the vast majority were found in the customized theme layer! (much more than from contrib/custom modules even)

There are many good things to choose from, but for me the best thing about Cracking Drupal is that I finally have a definitive one-stop place to go for information about Drupal security: what to watch out for, how to test it, best practices, worst practices. It's all there.

Finally, keep in mind that just reading this book will not of itself make your site more secure. I've had to re-read certain things a few times before it sunk in all the way. A process helped along even more by downloading the vulnerable.module, the module the book uses for many of its examples, and testing out the examples inside of it for a few hours.

Many thanks to greggles for putting this together for the Drupal community. For another review of Cracking Drupal see Aaron's write up of it.

31 July, 2009

Comments

Very sad it's a book and not a section in the handbook.

In response to anonymous, I'm the author of the book and want to share my opinion.

The handbook is a place for true labors of love - people don't usually get paid to write documentation in the handbook and therefore it is usually smaller pieces of text that are not always well researched. This book took several hundred hours of my time and the time of various other people like chx. We were paid to write the book (me a good bit more than chx) but not nearly enough to be the normal amount that we would charge if we did this on a per hour basis.

Ultimately there are multiple levels of documentation available and accessible to all budgets.

Free:
http://drupal.org/writing-secu...
http://crackingdrupal.com/blog...

Cheap: http://crackingdrupal.com/ the book is only $26!

I've have no issue with someone like Greg, who has been a very prolific contributor to the Drupal project for several years running now, making a little money off a book like this. I'm just glad to have in my book collection. :-)

I agree with what both Caleb and Aaron are essentially saying: this book is a worthwhile investment.

As a professional business writer it really irks me when people are dismissive - even if it is done unintentionally - of the time and effort it takes to put together a practical guide such as this.

We accept that when we use the professional services of a lawyer or an accountant we have to pay them for their time and expertise.

Why should we treat writers any differently.

A lot of professional expertise has gone into putting this book together and the writers deserve to be properly rewarded. Frankly, $26 seems inexpensive for a book that could potentially save you incalculable sums of money.

Sorry if I sound grumpy, but that's my two cents.

Bruce

I had no idea that dupral had so many security issues/vulnerabilities. no doubt the book would be a great resource and is probably good value. It seems to me though that if there are these issues with security especially around the themes, then it may be better to develop on a different platform.

User input is the problem, not the framework someone uses -- user input (the source of 90+% of all attacks, as well as what 90+% of what the book covers) is a problem that does not discriminate - it affects every single site/framework equally. Which is to say that every single site/framework on the face of the planet has to handle user input appropriately or else the site and it's users security will be open to being heavily compromised.

Drupal actually offers many tools to help protect against user input, but just offering the tool is not enough - the tool has to be used and used correctly. This will not be changing.