Following our last post on Drupal security and why it’s the best secure CMS, we’re now going to talk a closer look some of Drupal’s enhanced security features. Used by a wide range of high profile public organisations, governments around the world rely on Drupal’s security model to protect their public images – NASA, the Australian Government, and the Unites States Federal Emergency Management Agency to name but a few.
Drupal has a large, global security team researching and developing security features and reacting to vulnerabilities to quickly create and deploy patches. As such, Drupal has shown time and time again that it’s a highly resilient and dependable CMS for a business website. New issues are quickly resolved and proactively pushed out to Drupal users, with easy deployment tools allowing site administrators to get those patches into production in as short a time as possible.
Drupal emphasises the importance of its legal framework to protect its user community. With a combination of the best production technology, a large-scale team of developers and these legal guidelines, it’s little wonder that Drupal is evaluated as the best option by security analysts.
Explore Catalyst IT Services for Drupal
Beyond the basics
Drupal builds its advanced security model on the foundation of a dedicated team model for secure development with its open source codebase, with features for strong encryption, role-based access, built-in CAPTCHA support, automated logout, antibot capabilities, and a subsystem called the Security Kit (SecKit), which provides several security-enhancing options to harden deployments.
Drupal SecKit
SecKit offers site administrators the ability to alter HTTP headers to enhance security, reducing threats from various web application vulnerabilities, such as:
- Cross-site Scripting – Using content security policies, site administrators can implement a variety of countermeasures against exploits and can log and notify on detected attacks.
- Browser Control – SecKit can control user web browsers, such as Internet Explorer, Safari and Chrome to implement internal cross site scripting (a type of attack) filters.
- Cross-site Request Forgery – Another form of attack mitigation that allows administrators to handle Origin HTTP request headers.
- Clickjacking – SecKit includes an implementation of X-Frame-Options HTTP response headers.
- JavaScript + CSS + NoScript – Customisable text for disabled JavaScript messages.
- SSL/TLS – Drupal SecKit also includes the implementation of HTTP Strict-Transport-Security (HSTS) response headers, which are used to prevent x-in-the-middle and eavesdropping attacks.
Drupal Antibot
Alongside SecKit, Drupal Antibot module reduces the risks associated with attackers using bots to automatically submit interactive web forms. These bots are often used to look for vulnerabilities and inject attack code into websites. Antibot doesn’t require administrator or end-user interaction, avoiding the use of CAPTCHAs – which can be annoying from a user experience (UX) perspective. The Antibot module works on both mobile and touch-screen devices, to provide a a complete solution for Drupal users.
Drupal Automated Logout
Automated logouts are an excellent feature of Drupal’s advanced security model. While it may sound like a minor feature, logging out inactive user sessions after a set time stops attackers hijacking live sessions. This significantly reduces the attack surface. With several options for site administrators, organisations can employ different timeouts based on user roles. There is even the option to override timeouts for special roles, with permissions for certain user types to set their own timeouts. This is necessary for security roles, particularly during events, such as incident response activities.
Identity and Access Management
Drupal security features that control user-side attacks are well considered across the whole user management lifecycle.
Drupal MFA
Drupal logins are bolstered by multi-factor authentication (MFA), where site administrators can add an additional control layer, so that when users log in with usernames and passwords, they also obtain a proof of ownership code sent to their mobile phones.
Drupal Password Policy
Password policies add an additional layer of security. They prevent bots from setting up accounts and logging in, and they enforce restrictions on passwords by defining rules for attributes such as length, characters, case, and punctuation. Beyond authentication policies and MFA, Username Enumeration Prevention lets administrators know when a username does not exist, working as in indicator of attack where adversaries are trying to enter random usernames to uncover valid usernames through trial and error.
Drupal LDAP
Drupal 8 introduced LDAP integration, allowing organisations with an enterprise user directory to integrate directly into Drupal CMS. You can also integrate authentication with Google, so if your organisation uses Google applications you are able to use Google’s App credentials within Drupal.
Custom site security with Drupal Coder Module
A great feature introduced in Drupal 8 is the Coder security module. Coder conducts security assessments of a Drupal site against known good coding standards and best practices. It also fixes coding standard violations using a special command that runs from a feature called PHP CodeSniffer. While this module was introduced in Drupal 8, checks apply to all versions of Drupal.
Drupal optimisation case study
Stay secure with Drupal CMS
The Drupal security features that we’ve talked about today are a small number of the many security projects available for strengthening a Drupal deployment. Many of these are extensions of Drupal that aren’t included in the core. They are developed by the global Drupal community to bolster core security features.
Drupal upgrade support services
Now that Drupal 9 is out, there are many new features and fixes that can further bolster your site’s security. The Catalyst IT Team has been supporting our clients’ site designers to understand all the modules and capabilities that should be included in their sites to make sure their deployments close all possible attack vectors and ensures users, and the site, are as protected as possible. It’s at the design stage where Catalyst IT’s expertise in web solutions can help.
Catalyst IT is an ISO 27001 certified Drupal Premium Supporting Partner. If you would like support to build and protect a complex Drupal website, one that remains resistant to cyber attacks and data breaches, get in touch with our experts and we’ll explore how we can assist.