Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile, critical websites.
The Drupal Security Team includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.
In addition to the proven security of Drupal core, various contributed modules strengthen the security of a Drupal website. These modules extend Drupal’s security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal’s logging and auditing functions. For more research on security-related Drupal modules, see Enhancing security using contributed modules on Drupal.org.
There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.
To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:
Cloud Platform[web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.Security audits
Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.
Remote Administration
Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.
As a website administrator, you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.
For more information about Drupal security, see the following:
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile, critical websites.
The Drupal Security Team includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.
In addition to the proven security of Drupal core, various contributed modules strengthen the security of a Drupal website. These modules extend Drupal’s security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal’s logging and auditing functions. For more research on security-related Drupal modules, see Enhancing security using contributed modules on Drupal.org.
There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.
To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:
[web root]/files and [web root]/sites/[sitename]/files or the corresponding files-private directories. These directories are writable by nature, because they’re intended to receive file uploads from end users.Security audits
Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.
Remote Administration
Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.
As a website administrator, you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.
For more information about Drupal security, see the following:
If this content did not answer your questions, try searching or contacting our support team for further assistance.