Advanced Drupal Security

core security really good
contrib hit or miss, not fully policed
custom code often the worst, including theme layer

encryption
	wireshark - network scanning tool
	ssl certificate required
	d.o hosts https site also
	modules
		securepages
			may or may not redirect action for login block to https
		securepages_prevent_hijack
			newer module
			prevents cookie hijacking

xss
	cross-site scripting
	inserting js into fields
	should be protected if using api properly
	handling
		drupal_set_message() does not filter by default
			use t() with filtering indicators
		use l() function to create links
			does check plain by default
		select options are autmatically filtered
		checkbox and radio options not filterd automatically
	filter functions
		check_plain
			never allow html
		check_markup
			allow html but filtered to allowed tags
		filter_xss_admin
			lets lots of stuff through, use only when admins are entering
			
access bypass
	if doing anything (view, edit, delete) with nodes, use node_access()
	user doing aything, use user_access()
	menu callback, understand hook_menu access callback
	custom query on nodes, taxonomy, etc, use db_rewrite_sql()
		going away in D7 to use more OO style
		makes sure access rules are checked appropriately

xsrf
	cross-site request forgery
	one site asking for data from another site
	e.g., talk leaders set up image on discussion page that voted for the talk when the page was viewed
	use tokens on formst to prevent
		drupal_get_token
		drupal_valid_token
	tokens mitigate but can be hacked around using xss and other tools
		
user impersonation
	using 'global $user; $user=user_load...' changes the user
	if need to impersonate some other user, use session_save_session(FALSE) to stop Drupal from saving $user to global at end of page processing

drupal security team
	about 30 volunteers
	reporting issues
		email security@drupal.org
	best practices
		http://www.
	drupal.org/writing-secure-code

modules/tools
	security_scanner
		js attack scanner; good for testing xss
	coder
	http://www.grendel-scan.com
		OS desktop tool
		
resources
	d.o/security/secure-configuration
	d.o/writing-secure-team
	d.o/security-team
	groups.drupal.org/security-scanner-component-and-best-practices
	http://www.owasp.org
	http://crackingdrupal.com