curious to know our own drupal security process?download it here!
Keeping your website secure is more important than ever. You not only need to protect your own business, but also your customers. Why has security become such a big issue over the years, and how do you make sure your Drupal website is safe? We’ll give you some useful tips and tricks!
why security matters.
If your website is insecure, you are basically giving hackers a free pass to do what they want. And an insecure website that is hacked can have a multitude of consequences, not only for you but also for your clients:
- your website becomes inoperable, causing loss of revenue
- your website's database, containing client data, can be leaked, uploaded to the dark web, and be used for any number of malicious practices
- your website’s hosting environment can become part of a botnet and participate in illegal activity
- your website can be used to host illegal files and the content of the site can be changed to host political messages, religious messages or profanities
- to be GDPR-compliant, you’ll need to to inform your users that their data has been stolen, which will cause irreparable damage to your business’ reputation
drupal & security.
is OSS secure?
When evaluating software security, a number of people often assume that open source software (OSS) is less secure than proprietary software. Their reasoning usually is that since the code is freely available, it would be easier for malicious hackers to discover security vulnerabilities.
But that’s not true, it’s actually quite the opposite: many people are constantly working with the OSS software in different roles (white hat hackers, developers, contributors, users ...) and are much more likely to discover - and fix - vulnerabilities. Furthermore, security issues are addressed by a security release much faster than is the case in proprietary software.
the drupal security team.
Drupal takes security very seriously and has a well-thought-out process for handling security vulnerabilities supported by the Drupal security team. The security team handles security issues reported privately, assists other module maintenances with fixing security issues in their code, and provides documentation related to security.
drupal security updates.
To allow site owners to keep up to date with security releases, Drupal uses so-called security advisories. These are public announcements managed by the Drupal security team that report a security problem and how to address it. Usually this means updating to a new release. Security issues are always kept secret until the advisory is released. You can read all previous security advisories on the Drupal website.
tips for developing secure websites with drupal.
So now you know just how important a secure website is. But how do you make sure your website is 100% secure? Here are some tips for you!
- Choose your modules wisely. When selecting a contrib module, make sure that it is widely used and has a stable release that is covered by the security advisory policy. This is indicated by a green shield icon on the module’s page on drupal.org. Make sure not to use modules which have a low number of reported installations or don’t have stable releases.
- A lot of security issues are present in the code that was custom developed for a project, so always keep security in mind when developing your own modules and themes. Use the Drupal APIs and follow best practices such as the OWASP standard.
- Consider having an external, specialized third party do a security audit or PEN test on your project.
Would you like to know how we handle the security of our Drupal websites? Download our workflow to get more insights or contact firstname.lastname@example.org to get more info on how we can help you with your Drupal sites.