DrupalCon Amsterdam 2019: Find security vulnerabilities through code review
Jobiqo, Vienna, Austria
Writing secure code can be a challenge in a Drupal application because there are many types of security vulnerabilities out there. A developer might not be aware of all of them and then put their Drupal site at risk of being hacked. Typically we try to avoid that by doing code reviews, but how do you spot security vulnerabilities quickly? Where do you have to look in a Drupal module, what code do we consider to be suspicious? What Drupal Core APIs should be used to prevent security vulnerabilities?
In this session I will go through the most common mistakes developers make when writing Drupal modules. I will show practical examples and tips how to effectively find vulnerabilities in code and how to mitigate them. Topics I plan to cover:
* Opening a Drupal module: which files do we look at first?
* XSS in Drupal 7
* Auto-escaping in Drupal 8 to prevent XSS, where XSS problems remain
* CSRF explained
* Access bypass vulnerabilities such as missing entity field access
* SQL injection examples
* Insecure deserialization and XXE attacks
In general I will use the OWASP Top Ten security vulnerability categories to give you on overview of the most common and most exploited weaknesses. As a regular contributor to reviewing modules on drupal.org I have checked more than a thousand modules for security issues. With that experience I know what developers usually overlook and how a code reviewer can identify problems.