DrupalCon Amsterdam 2019: Find security vulnerabilities through code review

Nov 03, 2019

Klaus Purer
Jobiqo, Vienna, Austria

Writing secure code can be a challenge in a Drupal application because there are many types of security vulnerabilities out there. A developer might not be aware of all of them and then put their Drupal site at risk of being hacked. Typically we try to avoid that by doing code reviews, but how do you spot security vulnerabilities quickly? Where do you have to look in a Drupal module, what code do we consider to be suspicious? What Drupal Core APIs should be used to prevent security vulnerabilities?

In this session I will go through the most common mistakes developers make when writing Drupal modules. I will show practical examples and tips how to effectively find vulnerabilities in code and how to mitigate them. Topics I plan to cover:

* Opening a Drupal module: which files do we look at first?
* XSS in Drupal 7
* Auto-escaping in Drupal 8 to prevent XSS, where XSS problems remain
* CSRF explained
* Access bypass vulnerabilities such as missing entity field access
* SQL injection examples
* Insecure deserialization and XXE attacks

In general I will use the OWASP Top Ten security vulnerability categories to give you on overview of the most common and most exploited weaknesses. As a regular contributor to reviewing modules on drupal.org I have checked more than a thousand modules for security issues. With that experience I know what developers usually overlook and how a code reviewer can identify problems.

Hi! I'm Karim Boudjema, the developer and site-builder of this site. I'm currently working as a freelance Drupal developer.

I was wondering how could I giving back to the Drupal community all what it gave to me during the last 10 years, that's how the idea of this site came to me ... (read more)

Hi! I’m Santiago Rico, the web designer and themer of this site.

When Karim proposed me to design and theme this site for the Drupal community, I accepted immediately because the community is the main reason why I love Drupal so much.