Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal’s core APIs have strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile, critical websites. This topic includes the following sections:
The Drupal Security Team includes about 40 people, several of whom are Acquia employees. The security team works with the Drupal Security Working Group, which reviews and supports the work of the security team. The security team created a framework to report and rank the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal website creation and configuration.
There has been much publicity about password breaches of service providers’ websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords. Drupal encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied.
To prevent common vectors of attack, Cloud Platform is built to ensure Drupal websites are hosted securely to align with best practices. Major points include the following:
[web root]/files
and
[web root]/sites/[sitename]/files
or the corresponding
files-private
directories. These directories are writable by
nature, because they’re intended to receive file uploads from end
users.As a website administrator, you can take other steps to ensure your Acquia Cloud Drupal website is secure. For more steps, see Password-protecting non-production environments.