Drupal is the perfect match when it comes to collaboration and communication in teams. As it is easy to setup and flexible to use, an intranet setup for companies or a setup for closed groups of people is easy to realize.
However, stealing your login credentials or your session from a public network is trivial, securing your confidential information a must.
This session is aimed at the typical Drupal developer.
The session starts with a short overview of the most common security issues, their consequences and how you can use the Drupal API to prevent them. The second half of the talk is devoted to string handling as the most prevalent vulnerability, Cross site scripting (XSS), happens when you get it wrong. You should leave the session with a clear understanding of when to use filter_xss, check_plain, check_url & check_markup.
Hacking is more of an art than a science and this working demonstration will give the audience a chance to get their hands dirty. Drupal's security model tends to focus on technical security and this leaves some key holes in the security model. We'll take an opportunity to show some of these problems, give the audience a chance to work through the problems on a demonstration Drupal site (install distributed to everyone prior to the session), and finally we'll work through some possible solutions to the problems we identify.
What you don’t know can hurt you. Analysts estimate that 75% of attacks against web servers enter at the application, not the network level. As many as 15% of these attacks are due to poor coding practices. We'll discuss ways to secure your Drupal application.
Agenda:
See For Yourself - demonstrations of application attacks
Case Study: Secrets to Securing a Social Network
Key Habits of Secure Drupal Coding
Vulnerability Detection, Remediation, and Mitigation
