Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By rjewell on
I am contemplating publishing a law office site with drupal. Clients will have accounts and be able to view case and account information. The site will need to be reasonably secure. I am still (posted before) trying to decide if this is a good idea...
I am using a module that allows me to add custom info to the user profile (profile). Another module makes that info read only (user_readonly). Finally, I am using a filemanager that allows for private file shares (fileshare). I am also planning on using secure pages and an ssl connection (securepages). They are all modules from the main list.
So, is there a mailing list I can subscribe to that will tell me of security problems for the core and/or these modules? Are the drupal framework and it's modules reasonably secure? Is there any information that discusses these details that we could use to assure others of this fact?
Any information/opinions are appreciated.
Ryan
Comments
visit your profile, and
visit your profile, and subscribe to the newsletters that interest you.
You might want to start
You might want to start here: http://drupal.org/node/27573 . I believe that Drupal can certainly be secure, but as with any other system, it's always possible for something to surface. But don't have unreasonable expectations. After all, the typical law office is easier to break into than a bank vault, and I imagine that most law offices don't use high security filing cabinets.
Gary Feldman
But Joe Google can't stumble
But Joe Google can't stumble into files stored in those insecure filing cabinets - they need to physically go to the office, break in, open the cabinet, and find the file...
I think the point was that
I think the point was that it is reasonably easy to secure a drupal installation from 'joe google', but like any software there are potential vulnerabilities that could be exploited by experienced, determined criminals. It all depends on what you consider secure, and how actively you maintain your code.
------------------------------
Alex Cochrane
Spoon Media
Drupal is only one potential hole
Make sure you are hosting the site in an environment you consider secure. Does the hosting company do an adequate job of security?
If you're dealing with really sensitive material, you might want to take extra steps like putting documents in password protected archives.
In the end, making a really secure website is hard, whether you're using Drupal or not. Your chances of success depend very much on your level of experience as a sysadmin. I wouldn't want to give you false hope or illusions of security.
Drupal works hard to be secure, however, so it is unlikely to be the weakest link in your armor.
- Robert Douglass
-----
Lullabot | My Drupal book | My Digg stories
meaningful disclosure should occur
The question of whether and to what extent user information is secure on a drupal site should be considered separately from what users should be told prior to placing their information on the site.
What can be said to users who want to read the latest legal document filed in their case from home at 10:00 p.m. rather than pay for the postage to have it mailed to them? They need to be able to fully understand the risks and benefits before making the decision.
What specific and itemized features does the drupal security include and what are the definitions and concrete layperson examples applicable to each feature? Is it more or less secure than services with which the user may already be familiar like Paypal or electronic banking? Will the information be more or less secure than in the average law firm? Etc.