Think of it like maintaining your favourite bike. If you wait for something to go wrong and then repair or carry out the required maintenance, you’ll end up paying more to fix major damages as compared to regular maintenance fee. Thus security audits are a must.
Security audits in Drupal are a vital part of maintaining Drupal websites' health and security. Web development team should always be proactive when it comes to delivering maximum client satisfaction with digital safety.
Site Audits are done keeping specific objectives in mind like find, understand or fix any potential holes or problem that could cause security breaches on the website or on the server where the site is hosted.
Depending on the objective of an Audit, the steps or things to look at on the website or server might change like:
• Is it a General Review to check the overall status and efficiency of the site?
• Is it a Security Audit?
• Is it performance Audit?
General Aspect or General Review
When it comes to a security audit, there are some things that should be always addressed or covered, as these steps give the overview of the site.
General codebase overview: Security Audit Team analyses to get a comprehensive understanding of the structure and organization of modules along with the custom code involving PHP and JavaScript. Generally, in big projects which involve a high percentage of custom coding, it is very common to see a big mess in custom code, structured without consistent patterns or style guides, leaving it open to security holes.
General Code Review: Code can be reviewed by using an IDE or automated tools, to unravel extensive use of bad practices. One of the tools which can be used for the code review is the Coder module which is developed to check the Drupal Standards. While reviewing code, here are a few more aspects that should be looked at:
- SQL Injection
- Remote Code Execution
- User Input Sanitisation
- Privilege Access Management
- CSRF should be consider
- OWASP standard should be followed
- General Configuration like
- HTTPS configuration
- Disable PHP filter
- Access Text Format
- Private files should be at a secure place
- Execution of PHP Files from subfolder should be disabled.
Site Audit Script: The Site Audit Module is one of the modules which looks at the website health by generating reports on Caching, Database, Extensions, Security and many more. It also provides useful information about certain areas of Drupal with security checks.
Reviewing Patched Modules: Drupal’s Hacked module will definitely help in finding out the contributed modules that are altered by developers after the official version. It compares the installed version with the official one available on Drupal.org to fetch the differences.
There are tools which help automate the search of some possible security holes in code and configuration. One of the examples is the Security Review module for Drupal projects which make some checks and generate reports highlighting the areas where configuration should be changed in order to make the site more secure. One more example is Paranoia module which identifies all the places where the user can evaluate PHP via Drupal’s Web Interface and then blocked those.
Hope this blog helps you understand the steps to be carried out for a successful security audit. If you have any queries please reach out and we would love to guide you! Happy auditing!