A5 Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
Check the Server Configuration:
· Check the Server hardening
· Avoid using FTP
· In shared servers, know who do you share the server with (e.g. sharing hosting with a site of a politic party, greedy target of an attack).
· Check the applications running on the server (e.g. phpBB2 have lots of security holes)
· Keep your OS, PHP, SQL server, etc. up to date
Check the Drupal Configuration:
· Is your admin password "admin"?
· Look at all "administer *" permissions
· "administer filters" can take over a site
· Use Update module, watch the security news (security updates are made on Wednesdays)
· Avoid any kind of PHP input, write your own modules instead. Look into using Paranoia module
· Watch your input formats, you can be googled!. If we enable Full HTML for anonymous users, somebody can find our site searching the filter description ("Full HTML, Web page addresses and e-mail addresses turn...") and could hack our site.
· Check out the security status with proper module:
o security_review module (https://www.drupal.org/project/security_review )
o security check (https://www.drupal.org/project/security_check )
A6 Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
Secure Sensitive Data is the protection of:
1. Data at Rest: Cryptografic Storage
· Different randomly generated private key is provided on each site, which can be used to do reversible encryption
· Modules exist to help encrypt more data
· Up to you to ensure backups are properly protected
2. Communication: Transport Protection
· Run Drupal on top of full SSL, which is expensive
· Use securepages and securepages_prevent_hijack to wall your important pages.
· Use a valid certificate