Following our last post on Drupal security and why it’s the best secure CMS, we’re now going to talk a closer look some of Drupal’s enhanced security features. Used by a wide range of high profile public organisations, governments around the world rely on Drupal’s security model to protect their public images – NASA, the Australian Government, and the Unites States Federal Emergency Management Agency to name but a few.
Drupal has a large, global security team researching and developing security features and reacting to vulnerabilities to quickly create and deploy patches. As such, Drupal has shown time and time again that it’s a highly resilient and dependable CMS for a business website. New issues are quickly resolved and proactively pushed out to Drupal users, with easy deployment tools allowing site administrators to get those patches into production in as short a time as possible.
Drupal emphasises the importance of its legal framework to protect its user community. With a combination of the best production technology, a large-scale team of developers and these legal guidelines, it’s little wonder that Drupal is evaluated as the best option by security analysts.
Explore Catalyst IT Services for Drupal
Beyond the basics
Drupal builds its advanced security model on the foundation of a dedicated team model for secure development with its open source codebase, with features for strong encryption, role-based access, built-in CAPTCHA support, automated logout, antibot capabilities, and a subsystem called the Security Kit (SecKit), which provides several security-enhancing options to harden deployments.
SecKit offers site administrators the ability to alter HTTP headers to enhance security, reducing threats from various web application vulnerabilities, such as:
- Cross-site Scripting – Using content security policies, site administrators can implement a variety of countermeasures against exploits and can log and notify on detected attacks.
- Browser Control – SecKit can control user web browsers, such as Internet Explorer, Safari and Chrome to implement internal cross site scripting (a type of attack) filters.
- Cross-site Request Forgery – Another form of attack mitigation that allows administrators to handle Origin HTTP request headers.
- Clickjacking – SecKit includes an implementation of X-Frame-Options HTTP response headers.
- SSL/TLS – Drupal SecKit also includes the implementation of HTTP Strict-Transport-Security (HSTS) response headers, which are used to prevent x-in-the-middle and eavesdropping attacks.
Alongside SecKit, Drupal Antibot module reduces the risks associated with attackers using bots to automatically submit interactive web forms. These bots are often used to look for vulnerabilities and inject attack code into websites. Antibot doesn’t require administrator or end-user interaction, avoiding the use of CAPTCHAs – which can be annoying from a user experience (UX) perspective. The Antibot module works on both mobile and touch-screen devices, to provide a a complete solution for Drupal users.
Drupal Automated Logout
Automated logouts are an excellent feature of Drupal’s advanced security model. While it may sound like a minor feature, logging out inactive user sessions after a set time stops attackers hijacking live sessions. This significantly reduces the attack surface. With several options for site administrators, organisations can employ different timeouts based on user roles. There is even the option to override timeouts for special roles, with permissions for certain user types to set their own timeouts. This is necessary for security roles, particularly during events, such as incident response activities.
Identity and Access Management
Drupal security features that control user-side attacks are well considered across the whole user management lifecycle.
Drupal logins are bolstered by multi-factor authentication (MFA), where site administrators can add an additional control layer, so that when users log in with usernames and passwords, they also obtain a proof of ownership code sent to their mobile phones.
Drupal Password Policy
Password policies add an additional layer of security. They prevent bots from setting up accounts and logging in, and they enforce restrictions on passwords by defining rules for attributes such as length, characters, case, and punctuation. Beyond authentication policies and MFA, Username Enumeration Prevention lets administrators know when a username does not exist, working as in indicator of attack where adversaries are trying to enter random usernames to uncover valid usernames through trial and error.
Drupal 8 introduced LDAP integration, allowing organisations with an enterprise user directory to integrate directly into Drupal CMS. You can also integrate authentication with Google, so if your organisation uses Google applications you are able to use Google’s App credentials within Drupal.
Custom site security with Drupal Coder Module
A great feature introduced in Drupal 8 is the Coder security module. Coder conducts security assessments of a Drupal site against known good coding standards and best practices. It also fixes coding standard violations using a special command that runs from a feature called PHP CodeSniffer. While this module was introduced in Drupal 8, checks apply to all versions of Drupal.
Drupal optimisation case study