Skip to content

Instantly share code, notes, and snippets.

@schnippy
Last active October 31, 2018 17:28
Show Gist options
  • Save schnippy/56236f4a460b3668e696263484a6749d to your computer and use it in GitHub Desktop.
Save schnippy/56236f4a460b3668e696263484a6749d to your computer and use it in GitHub Desktop.

Beyond module security updates: How to craft a holistic security strategy

This past year, Drupal site maintainers raced to patch their sites to address back-to-back critical security issues in Drupal 7/8, with exploits being detected in the wild within hours after the patches were released. These updates, while not out of the ordinary for open source software, occurred in an an increasingly complex security environment that is seeing a greater range of hostile actors executing more sophisticated, targeted, and damaging website attacks.

As a site owner, how worried should I be about these threats? What can I do besides keeping my modules patched? Are there other best practices for protecting my site from common attacks? How can I approach web security more holistically?

In this session, we will introduce a framework for understanding Drupal website security and how to assess possible solutions. This will include:

  • Understanding the nature of the current threat;
  • Discussion of common Drupal site vulnerabilities or vectors;
  • Walking through the different levels at which we need to think about Drupal security, ex.
    • Security protocols and organizational culture,
    • Filtering and sanitizing user inputs,
    • Reducing vulnerabilities in custom code,
    • Monitoring and updating dependencies (ex. NodeJS and Composer),
    • Server hardening and monitoring,
    • Balancing security with user needs and behaviors.
  • and finally, Surveying the different Drupal modules, third-party tools, and other techniques that can protect your sites at each of these levels.

The goal of the presentation is to give you a solid understanding of the different layers at which your website may be vulnerable and what you can do to remedy them. The general approach is suitable for site administrators at any level and we will be assessing each of the recommendations (for both Drupal 7.x and 8.x) for their effectiveness, user balance, and ease of implementation.

@jimholmes
Copy link

Well done abstract! The only feedback I have is you may want to reconsider the use of bullet points. Some conferences' abstract submission and scheduling systems don't deal well with formatting around bullet points. Consider reaching out to the places you're looking to submit this to specifically ask.

This may also be slightly wordy depending on the particular conference you're looking at--the length is visually exacerbated by the bullet list, too. (I like your list's items. It's just a mechanical thing for some conferences.)

Other than that, you've done a great job with the abstract.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment