My Experience at Drupalcon Euro!

  1. For infrastructure implementing a tiered architecture with the web application hosted in a DMZ and database and the business logic behind a firewall can be helpful
  2. Also one should implement an IDS/IPS which not only detects known intrusions but prevents them.
  3. Additionally, undertake periodic VAPT to ensure known vulnerabilities are identified and fixed.
  4. Based on the criticality of the application, adopt measures to ensure business continuity
  1. Implementing WAF, DDoS protection,
  2. Zero-day protection
  3. Load balancers for optimal traffic handling and equal distribution.
  4. Implement SIEM for proactive monitoring and alerting.
  5. They should also conduct regular audits, checks and conduct frequent application and infrastructure security tests, carry out regular risk assessments and if possible adopt known security standards/frameworks like ISO27001, SOC 2 etc.
  1. For security at the application level following OWASP top 10 for web application hardening.
  2. Implement encryption at various levels, also enabling strict transport security to accept only secure connections.
  3. Implement key rotation instead of using static keys, avoid incorporating authentication tokens in URLs to prevent session hijacks, keep a low token lifetime to ensure an always authenticated session.
  4. Enable appropriate audit logging at various stages which help track activities, troubleshooting and incident investigation.
  5. Use trusted third-party certificates instead of free certificates.
  • Before writing a single line of code
  • While writing code
  • While moving code to production
  • After moving code to production
  • Threat modelling
  • Risk assessment and mitigation
  • Code review and deployment security
  1. Disabling the default logins and changing default passwords.
  2. Implement access control, implement content access permissions etc.
  3. Keep reasonable session timeouts, limit per-user sessions.
  4. For admins, MFA must be enforced.
  5. Check file permissions, block access to important files like authorize.php, cron.php file etc,
  6. Avoid using default database tables or rename the default tables,
  7. Disable the anonymous user role if it is not required.
  8. Enable security review module which carries out automated tests for many of the easy-to-make mistakes that render your site insecure eg: safe extension file upload.
  9. Enable Login Security module which improves the security options in the login operation of a Drupal site where a site administrator may protect and restrict access by adding access control features to the login forms eg: limit the number of invalid login attempts before blocking accounts.
  1. Always keep the core updated,
  2. Use the latest version of the themes and plugins,
  3. Keep the modules updated,
  4. Review access permissions and
  5. Carry out security tests at regular intervals.
  1. Security by Design — Introduce Security at the time of Designs. Follow Threat Modelling.
  2. Maintaining a hardening checklist and following during release
  3. Proactive monitoring — configure the right alerts and take action proactively

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store