Handling All Top 10 Security Risks by drupal?

Posted by nikhilsukul on December 18, 2012 at 6:50am

Is drupal is able to handle effectively all the Top 10 Security Risks as mentioned by OWASP

(https://www.owasp.org/index.php/Top_10_2010-Main):

The OWASP Top 10 Web Application Security Risks for 2010 are:

A1: Injection (SQL, OS, LDAP, XPath, Program Arguements) – untrusted data sent to an interpreter as part of a command or query.
A2: Cross-Site Scripting (XSS) - untrusted data sent by a server to a browser.
A3: Broken Authentication and Session Management – compromise passwords, keys, tokens etc. to assume user’s identities.
A4: Insecure Direct Object References - exposing a reference to an internal implementation object without an access control check.
A5: Cross-Site Request Forgery (CSRF) - forcing a browser to send a forged HTTP request.
A6: Security Misconfiguration - secure the defaults for framework, platform, application, framework, servers (web, application, database).
A7: Insecure Cryptographic Storage - protect sensitive data.
A8: Failure to Restrict URL Access - access control checks on page access.
A9: Insufficient Transport Layer Protection - protect sensitive communications (avoid invalid certificates, weak algorithms).
A10: Unvalidated Redirects and Forwards - validate destination information.

Comments

Obviously the answer is that

Posted by John_B on December 18, 2012 at 9:34am

Obviously the answer is that Drupal cannot handle the security risks which are outside the Application / Presentation layer and related server or network security, and beyond the control of Drupal's developers. What is the point of the question? If you want a secure setup, hire security experts to set up your server and network and DNS, and a Drupal expert to set up you Drupal website securely. Drupal's software design and maintenance is one large part of the jigsaw, and it handles that part well, but it cannot close holes left opened by the server or network manager, or by Drupal sites which are not well built and maintained.

Digit Professionals

I think you didn't understood the question

Posted by nikhilsukul on December 18, 2012 at 10:44am

I think you didn't understood the question. In this era if you require to create a drupal site for bigger clients, certainly they will ask how secure drupal is and you can't just say, "yes it is secure". These Top 10 points are actually which we need to tell our clients, as how drupal can make things secure for them, For example: the first one "Injection", is the basic security requirement. The reason i pointed out each and every point (1 to 10), is to get the individual understanding, as how drupal plays either overall role or part of role for every point. Please just don't generalize the overall security picture here. Kindly reply with every point as how drupal handles it. There is a security team in drupal which manages and give checks for every code which get committed in drupal and give periodical releases of drupal whenever any security issue is found in any drupal release, so obviously they are following either all of these 10 points either fully or partially.

I see. Well the starting

Posted by John_B on December 18, 2012 at 10:53am

I see. Well the starting point is the book Cracking Drupal, by Greg Knaddison who is on the security team. I have not read it, though I did hear his overview at DrupalCon London. It appears to me that several items on your list are outside the scope of the Application layer but most of them are relevant for a Drupal. Not having read even this most basic textbook in the field, I am not qualified to answer further, but the book may contribute many of the answers you need.

Digit Professionals

Thanks, will try that..

Posted by nikhilsukul on December 18, 2012 at 11:01am

Thanks, will try that right a way

Thanks for the suggestion..

Posted by nikhilsukul on December 19, 2012 at 10:50am

Thanks for suggesting the book. The same guy also gave a presentation regarding drupal security here:

http://archive.org/details/drupal_security_for_coders

Overall, i know now, how drupal handles the web security.

Below are some general

Posted by greggles on December 24, 2012 at 8:45pm

Below are some general resources on security in Drupal that you could use to get into much more detail on the topic. There is this presentation Is Drupal Secure? which tries to cover the OWASP top 10 question in a very brief format.

Is Drupal Secure?
Secure configuration for Drupal sites
Writing secure code which is also valuable to understand so you can audit the modules you install.
Drupal security team which contains information about the project's policies like what to do if your site is defaced
Drupal Security Report which is the first report to try to tackle the question of whether Drupal's software and security team are mature enough to be deployed in your organization.
Cracking Drupal the only book about security in Drupal (disclosure: I'm the author ;))

--
_{Drupal Security Report | Cracking Drupal: Security Book from Wiley}

Got a perfect post..

Posted by nikhilsukul on December 26, 2012 at 6:38am

Thanks and Merry Christmas.. Happy New Year!!

Got a perfect post:

http://www.cameronandwilding.com/comment/44