Drupal, the functional and foundational set of APIs and modules, powers hundreds of thousands of websites on the Internet. As such, Drupal code is continuously probed, scanned, and analyzed for security vulnerabilities. Through peer review and a large and continuously growing community of experts and enthusiasts, Drupal's core APIs have been strengthened over the long life of Drupal to mitigate common vulnerabilities. Drupal is designed to prevent critical security vulnerabilities, including the Top 10 security risks identified by the Open Web Application Security Project (OWASP). Drupal has proven to be a secure solution for enterprise needs and is used in high profile, critical websites, such as whitehouse.gov and many others. This topic includes the following sections:
- Drupal security team
- Security-related contributed modules
- Drupal password security
- Secure Drupal hosting in Acquia Cloud
- Drupal site security
- Additional platform-level best practices
The Drupal Security Team includes approximately 40 people, a number of whom are Acquia employees. The security team created a framework to report and prioritize the mitigation of security vulnerabilities discovered both in Drupal core and in Drupal contributed modules. The team also provides best practices for secure module development and Drupal site creation and configuration. This Keeping Drupal Secure blog post describes how the Drupal Security Team responds to security issues. Read more about the Drupal security team.
In addition to the proven security of Drupal core, numerous contributed modules strengthen the security of a Drupal site. These modules extend Drupal's security by adding password complexity, login, and session controls, increasing cryptographic strength, and improving Drupal's logging and auditing functions. For further research on security-related Drupal modules, see the following:
There has been much publicity about password breaches of service providers' websites. Often the root cause of the breach of user passwords is due to poor access controls at the password database and weak encryption methodologies used to encrypt the database. Acquia believes that both strong access controls and strong encryption methodologies are the best means of protecting passwords.
Drupal 7, which is used by Acquia Cloud Site Factory and is the preferred Drupal core version used by Acquia Cloud Enterprise customers, encrypts passwords held in the database using the strong SHA512 hash function with a per-user salt function applied. Drupal 6, by default, uses the MD5 cryptographic hash function and does not apply a salt. You can strengthen Drupal 6 password encryption by using the PHPASS module, which implements secure password hashes and multiple salts and is used in Drupal Gardens and Acquia Network.
To prevent common vectors of attack, Acquia Cloud is built to ensure that Drupal sites are hosted securely in accordance with best practices. Major points include the following:
The process owners of both the web server and the PHP server do not have write access to the web root. The PHP server can only write to a specific set of directories: the
[web root]/sites/[sitename]/filesor the corresponding
files-privatedirectories. These directories are writable by nature, because they are intended to receive file uploads from end users.
Files in the web root (Drupal core, its modules, etc.) are written by an automated process and pulled from a version control system (SVN or Git) only.
Even customer users logged in to the OS layer on a web server do not have write access to files in the web root.
Acquia Cloud manages code and configuration with Puppet. This means that if a file is changed somehow, Puppet will reset this file back to the known good configuration.
Acquia Insight. Acquia Insight is a subscription service that is deployed to your Drupal site as a Drupal module. Insight provides a reporting interface that analyzes your Drupal site and reports to site administrators pertinent security-related data, such as configuration issues, security patch information, and other data to help Drupal administrators identify and action both security and performance-related issues. Read more about Acquia Insight.
Security audits. Acquia provides security audits to customers as a professional service engagement. These security audits include penetration tests and comprehensive code and architecture layer review to ensure that any custom development of your Drupal site has not introduced vulnerabilities. An Acquia Security Audit is typically a one-week engagement on site with your development team. Many security firms provide penetration and code review services, but only Acquia is solely focused on Drupal.
Remote Administration. Acquia offers a Remote Administration (RA) service to proactively keep its customers' Drupal sites up-to-date with the latest security patches and bug fixes to both Drupal core and contributed modules. Read more about Acquia Remote Administration .
As a site administrator, you can take additional steps to ensure that your Acquia Cloud Drupal site is secure. For additional steps, see Password protect development and staging environments using .htaccess.
For more information about Drupal security, see the following: