Outer.net - Security Review for Drupal

OuterNet, a large data center operator in the southern United States, provides custom server and application management for a variety of clients across the world.

When a client brought them a Drupal-based application for sharing sensitive files they wanted to make sure that the site was secure and learn what application management practices needed to be put in place to keep the site secure.

They turned to Growing Venture Solutions to receive a Security Review led by Ben Jeavons with support from Greg Knaddison and Steve Harley.

Security review Process and Findings

Ben started with a fundamental review of the features of the site to understand it's needs, then checked to see if any modifications were made to the core and contributed code on the site. Automated tools and manual review were run on the site to discover issues. In the end the site was found to be generally sound but with 5 critical vulnerabilities and 4 less critical vulnerabilities. The review concluded with our standard report and a meeting to discuss the findings giving Outer.net an opportunity to learn about securing this site and Drupal sites in general.

Stats for identified issues

• vulnerabilities in core - zero
• vulnerabilities in contributed modules - zero
• vulnerabilities in configuration - one critical, three less critical
• vulnerabilities in process - one critical
• vulnerabilities in custom code - multiple vulnerabilities in a
  disabled custom theme

This review follows the trends we see in other sites: it's more likely to find mistakes in configuration or custom code than it is to find them in core or contributed modules that are reviewed by the community. The site was also running older versions of Drupal core and several contributed modules that have security releases. Published exploits exist in older versions of core and contributed modules with security releases.

To help address these consistent configuration and developer education issues GVS has created the Security Review module and offers books and training at Drupalcamps and Drupalcons.