Drupal is a very secure open source project. With thousands of eyes looking at the code, security holes get patched very quickly in the core Drupal project.
However, one of the primary ways of opening up your Drupal site to security vulnerabilities is through user error. No amount of code can prevent site administrators from doing stupid things like giving anonymous users permission to edit your blog posts.
The recently released Security Review runs a basic analysis on your site looking for security issues in how you've setup your site. Whether a developer or not, a module like this could save you a tremendous amount of grief.
After installing the module on this very site to check out the features, I was alerted to the fact that anonymous users were able to post any kind of javascript into the comment form. I'm not sure how that happened, since that is not the default Drupal behavior, but I was grateful to have the opportunity to correct the situation.
If you are a Drupal developer really interested in security, check out the book Cracking Drupal, authored by the same people who developed the Security Review module.
Comments
Post new comment