Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile, critical websites. This topic includes the following sections:
The Drupal Security Team includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.
There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.
To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:
The process owners of both the web infrastructure and the PHP infrastructure
don’t have write access to the web root. The PHP infrastructure can only
write to a specific set of directories: the
[web root]/files and
[web root]/sites/[sitename]/files or the corresponding
files-private directories. These directories are writable by
nature, because they’re intended to receive file uploads from end
Files in the web root (such as Drupal core and its modules) are written by an automated process and pulled from a version control system (Git) only.
Even subscribers logged in to the OS layer on a web infrastructure don’t have write access to files in the web root.
Cloud Platform manages code and configuration with Puppet. This means if a file is changed, Puppet will reset the file back to the known good configuration.
Acquia provides security audits to subscribers as a professional service engagement. These security audits include comprehensive code and architecture layer review to ensure that any custom development of your Drupal website hasn’t introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on a website with your development team. Various security firms offer penetration and code review services, but only Acquia is solely focused on Drupal.
Acquia offers a Remote Administration (RA) service to proactively keep its subscribers’ Drupal websites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules.
As a website administrator, you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.