Defense in depth and the application layer
This whitepaper focuses on Layer 3 of Salsa's Defense in Depth Drupal 7 Security Hosting Framework: the application . The application layer, consisting of Drupal core itself and any installed modules and themes, plays a critical role in the overall security of your website. Addressing security risks and challenges at the application layer is crucial for protecting the integrity of your Drupal website, safeguarding sensitive data and maintaining user trust. Failure to address these risks and challenges may lead to compromised functionality, data breaches, and a damaged reputation.
By implementing these best practices and recommendations, you can create a more secure and robust Drupal website, mitigating risks and reducing the potential impact of security threats.
This whitepaper aims to :
Provide an understanding of the security risks and challenges associated with the Drupal application layer.
Offer an essential list of best practices and recommendations to improve security at the application layer.
Demonstrate the benefits and outcomes of implementing these best practices.
Encourage further exploration of resources and reading materials to deepen your knowledge and expertise in Drupal application security.
While this whitepaper focuses specifically on Drupal 7, many of the recommendations and best practices can be applied to other versions of Drupal as well. The content is aimed at Drupal developers, administrators and other stakeholders involved in the maintenance and management of Drupal websites. This whitepaper is part of a broader series covering all seven layers of Salsa's Defense in Depth Drupal 7 Security Hosting Framework, which should be considered holistically to ensure comprehensive security across your entire Drupal ecosystem.
Security risks and challenges
The Drupal application layer faces many unique security risks and challenges that must be addressed to ensure a secure and reliable website.
There are 9 main security risks and challenges at the application layer, broken into either common security risks or challenges in application security:
- Insecure coding practices
- Insufficient input validation and sanitisation
- Weak user authentication and authorisation
- Insecure file and data handling
- Outdated software and components
- Keeping up with evolving threats
- Balancing usability and security
- Ensuring consistent security practices
- Integrating security into the development lifecycle
1. Insecure coding practices
The application layer is vulnerable to insecure coding practices, which can lead to vulnerabilities such as SQL , cross-site scripting and cross-site request forgery .
2. Insufficient input validation and sanitisation
Failing to validate and sanitise user inputs can expose the application to attacks like injection and XSS, potentially compromising user data and site functionality.
Weak authentication and authorisation mechanisms may allow unauthorised access to sensitive data, leading to data breaches or the takeover of administrative privileges.
4. Insecure file and data handling
Insecure handling of files and data can expose sensitive information, potentially leading to data breaches or unauthorised access to resources.
5. Outdated software and components
Running outdated versions of Drupal core, modules, themes or third-party components may expose the application to known vulnerabilities, placing the entire system at risk.
6. Keeping up with evolving threats
Application layer security requires continuous monitoring and updating to stay ahead of the latest security threats and vulnerabilities.
7. Balancing usability and security
Implementing strong security measures at the application layer may sometimes impact usability or performance, necessitating a careful balance between security and user experience.
8. Ensuring consistent security practices
Ensuring consistent security practices across the application can be challenging, particularly when working with a large team of developers or integrating third-party components.
9. Integrating security into the development lifecycle
Integrating security best practices throughout the software development lifecycle requires a proactive approach and an organisational culture that values security.
Top 10 best practices and recommendations
Below we’ve put together our top 10 best practices/recommendations for securing the application layer.
- Secure coding practices
- Input validation and sanitisation
- Strong user authentication and authorisation
- Secure file and data handling
- Keeping software and components up-to-date
- Implementing security-focused modules and monitor logs
- Regular security audits and testing
- Developer security training
- Secure software development lifecycle (SSDLC) integration
- Incident response planning
1. Secure coding practices
Secure coding practices help prevent vulnerabilities such as SQL injection, XSS and CSRF, protecting the Drupal application against attacks and breaches.
Security benefits: Secure coding practices include input , output , and using prepared in database queries.
Actionable steps:
- Adhere to Drupal's coding and best practices for , site and .
- Use Drupal's built-in for handling user , database and form .
- Regularly and update your code to maintain security.
2. Input validation and sanitisation
Security benefits: Input validation and sanitisation ensure user inputs are safe, preventing attacks such as injection and XSS.
Actionable steps:
- Validate user against a whitelist of allowed values or formats.
- Sanitise user inputs using Drupal's built-in sanitisation .
- Use Drupal's Form for building forms and handling user inputs.
Security benefits: Implementing strong authentication and authorisation mechanisms prevents unauthorised access and ensures the integrity of user data and the application.
Actionable steps:
- Implement two-factor authentication for administrative accounts.
- Enforce strong password for all user accounts.
- Limit user based on the principle of least privilege and review accounts regularly for removal or role changes.
4. Secure file and data handling
Security benefits: Properly handling files and data prevents unauthorised access and ensures data integrity.
Actionable steps:
- Use Drupal's file management for secure file handling.
- Configure proper access controls and permissions for file .
- Regularly and encrypt sensitive and use secure connections ( ).
5. Keep software and components up-to-date
Security benefits: Keeping Drupal, modules and third-party components updated prevents exploitation of known vulnerabilities.
Actionable steps:
- Regularly check for and apply Drupal and module .
- Subscribe to Drupal security and vulnerability alerts.
- and update third-party components regularly, and check if modules are covered by the security advisory .
6. Implement security-focused modules and monitor logs
Security benefits: Security-focused Drupal modules and monitoring logs for suspicious behaviour can provide additional protections and enhance the security of your application.
Actionable steps:
- Research and install security-focused Drupal modules such as , Login , Password , Security , Security , Two-factor Authentication and Username Enumeration .
- Configure modules according to Drupal best practices and .
- Regularly review Drupal for suspicious activity.
7. Regular security audits and testing
Security benefits: Conducting regular security audits and testing helps identify vulnerabilities and ensure the ongoing security of your Drupal application.
Actionable steps:
- Conduct regular vulnerability using tools like OWASP or Burp .
- Perform manual security , including penetration .
- Address vulnerabilities and update security as needed.
8. Developer and site administrator security training
Security benefits: Educating developers and website administrators on security best practices helps ensure the consistent implementation of secure coding practices and web administration.
Actionable steps:
- Provide ongoing security for developers and site admins.
- Promote a security-focused within the web development team.
- Share security and updates regularly.
9. Secure software development lifecycle (SSDLC) integration
Security benefits: Integrating security best practices throughout the development lifecycle ensures proactive security management and mitigates risk.
Actionable steps:
- Incorporate security in project planning and requirements gathering.
- Perform security reviews and testing throughout a secure development .
- Continuously monitor and improve practices after deployment.
10. Incident response planning
Security benefits: Having a well-defined incident response plan helps minimise damage and ensures a timely and effective response in case of a security breach.
Actionable steps:
- Develop a comprehensive incident response .
- Assign roles and responsibilities for incident response members.
- Conduct regular incident response and update the plan as needed.
Benefits and outcomes
There are many benefits of using defense in depth strategies to secure Drupal at the application layer. These include:
- Enhanced security
- Improved performance and stability
- Increased user trust and brand reputation
- Compliance with industry standards and regulations
- Cost-effective security
- Better developer collaboration
- Easier troubleshooting and maintenance
1. Enhanced security
Implementing the top 10 best practices and recommendations significantly reduces the likelihood of security breaches, protecting sensitive data and preserving the integrity of your Drupal application.
2. Improved performance and stability
By applying secure coding practices, optimising configurations and keeping software up-to-date, you can achieve better performance and stability for your application.
3. Increased user trust and brand reputation
A secure application instils confidence in users, resulting in higher user satisfaction and retention, and improved brand reputation.
4. Compliance with industry standards and regulations
Adhering to these best practices will help ensure your Drupal application complies with relevant security standards and regulations, such as (Australia), PCI Data Security (global), (Europe), and (US), reducing the risk of fines and penalties.
5. Cost-effective security
By proactively implementing these best practices, you can prevent costly security incidents and potential damage to your business.
6. Better developer collaboration
Establishing clear security guidelines and processes creates a shared understanding of security responsibilities among developers, leading to more secure code and efficient collaboration.
7. Easier troubleshooting and maintenance
When security is built into your application from the ground up, troubleshooting and maintenance become more manageable, saving both time and resources.
Conclusion
The top 10 best practices for Drupal application security have been presented to help you enhance the security posture of your Drupal application, from secure coding and configuration to continuous monitoring and vulnerability management.
A proactive approach to security enables you to identify and address potential vulnerabilities before they can be exploited, saving time, resources and potential damage to your reputation.
It's important to remember that security is an ongoing process that requires constant attention and dedication. Regularly reviewing and updating your security measures in line with industry best practices will ensure that your Drupal application remains secure and compliant.
By implementing the top 10 best practices outlined in this whitepaper, you can effectively strengthen your Drupal application's security, protect your valuable data and ensure a better user experience for your audience.
National Institute of Standards and Technology (NIST) Cybersecurity Framework and the application layer
NIST is a US-based agency that provides critical measurement solutions to promote equitable standards such as the NIST Cybersecurity (NIST CSF). NIST CSF is recognised globally as one of the leading standards for organisational cybersecurity management.
The NIST CSF can be applied to application security to help organisations effectively manage and mitigate cybersecurity risks associated with their applications. Here are some of the NIST CSF activities that can apply to this layer:
Identify:
Asset inventory: Identify all applications and relevant components within your organisation, including their versions and dependencies.
Risk assessment: Evaluate the cybersecurity risks associated with each application and relevant components considering factors like data sensitivity and potential vulnerabilities.
Protect:
Secure development practices: Implement secure coding standards and best practices during the application development process to prevent vulnerabilities from being introduced.
Authentication and authorisation: Ensure that proper authentication and authorisation mechanisms are in place to control access to applications and their data.
Encryption: Use encryption to protect data in transit and at rest within applications.
Security testing: Conduct regular security testing, such as penetration testing and code reviews, to identify and remediate vulnerabilities in applications.
Detect:
Security monitoring: Deploy monitoring and logging mechanisms within applications to detect suspicious or malicious activities.
Intrusion detection: Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS) to identify and respond to unauthorised access or attacks.
Respond:
Incident response plan: Develop an incident response plan specific to application security incidents.
Patch management: Quickly respond to and apply patches for known vulnerabilities in applications to mitigate potential threats.
Recover:
Backup and recovery: Regularly backup application data and configurations to ensure data recovery in case of an incident.
Business continuity: Develop and test business continuity plans to minimise downtime and ensure the availability of critical applications.
Resources and further reading
Drupal security documentation
- Drupal Security
- Official Drupal security
- Safe theme development in Drupal
- Security in Drupal
- Writing secure code in Drupal
OWASP resources
- OWASP cheat sheet
- OWASP community
- OWASP Top Ten
- OWASP top 10 CI/CD security
- OWASP Web Security Testing
Security testing and tools
- Drupal Security Review
- OWASP Zed Attack Proxy
- PHP code security
- Security
- Top 10 Open Source Security Testing Tools for Web
Continuous integration and deployment
Relevant industry articles
- Drupal Security
- Eleven tips to keep Drupal up to date with security
- Staying aware of Drupal security
- Talking Drupal #396 - Drupal
- 7 Ways to Evaluate the Security and Stability of Drupal Contrib
Security conferences and training