This past Spring, Drupal site maintainers raced to patch their sites to address back-to-back critical security issues on Drupal 7/8 that required action within hours. This is in an ever evolving security environment that is seeing a greater range of hostile actors executing more sophisticated, targeted, and damaging website attacks.
As a site owner, how worried should I be about these threats? What can I do besides keeping my modules patched? Are there other best practices for protecting my site from common attacks?
In this session, we will introduce the framework we are using to help our clients answer these questions by
- Understanding the nature of the threat;
- Assessing common Drupal site vulnerabilities or vectors;
- Reviewing the different levels at which we need to think about security, ex.
- Security protocols for site users;
- Filtering and sanitizing user inputs;
- Vulnerabilities from custom code;
- Server hardening and monitoring;
- and finally, surveying the different tools and techniques that can protect your site at each of these levels.
The goal of the presentation is to leave you with some ideas for implementing or upgrading your own security policy and the tools to enforce it.