Customer Reviews

Cracking Drupal: A Drop in the Bucket

5 star:		(7)
4 star:		(5)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.

I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.

I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.

Let's look in more detail at the book.

Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.

The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.

Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.

Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.

We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.

Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.

The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.

Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.

Now for your Homework...

Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.

The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.

If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.

Whoa!
This book does not seek to alarm you as much as it seeks to inform you.
The problem is not that Drupal is not secure. What Gregg shows is that its up to the admin to make sure that all of the security features are used properly to ensure a secure site. By showing what hackers might do the reader is informed on how to make sure that those attacks would not cause damage to their sites.
In a word, this book is PRACTICAL. And for a second word I would add ESSENTIAL.
This book is causing a lot of conversation in the Drupal community. We're all glad that it has become an easy to read, one-stop-shop to get the facts on security.

In this wonderfully concise and well written book, Greg Knaddison has managed to cover both the theory and practice of securing your Drupal site as well as your users against the myriad dangers of the internet. As professional Drupal site developers, we pay close attention to security. It is great that we can now have so many userful resources together in one place.

Within 24 hours of reading this book I found and patched a XSS attack on my site at work. It's well written, to the point, and informative. The author goes above and beyond explaining Drupal exploits and shows you how to track them down in the wild using the Drupal CVS repository. Most helpful is knowing how to properly use Drupal's built in security measures that take much of the weight of developing secure code off your shoulders.

I'm still in the process of reading this book but have found it very helpful in making my Drupal sites more secure. The only thing I'm disappointed in is some of the modules recommended are still in Development state which means they are not ready for production sites. I know the development of a module is not in the author's control but one would think that when writing a book you would look at modules that site owner can use now. This book does tell what to look at when choosing module so that you know your site is more secure. Over all I'm glad I made the purchase and do recommend it if you have a drupal site.

This is a good basic overview of Drupal security for admins, module developers and themers. One thing that surprised me is that it did not really cover security on a site using SSL (such as an Ubercart site or perhaps a membership site with secure login).

This book is not suitable for anyone who doesn't have a very strong understanding of Drupal and Drupal-speak. Beginners and even intermediate web developers will not understand much in Cracking Drupal, which is neck-deep in geek. See to my last paragraph in this review if you're a beginner.

This is not to say this isn't a good book. I've gone through it once, and plan to read it over a second or third time because it is filled with information. I'm not a security expert, but from my limited perspective I did not see any glaring errors, and I enjoyed the frankness with which the author approached the subject of Drupal security.

For Drupal beginners, here are the basics in helping secure your site: follow every Drupal best practice that you find in the online handbook and articles, don't hack the core or modules, strictly follow Drupal conventions if you create your own modules, and never turn on the PHP filter (which allows you to pepper the site with your own PHP code). And most importantly - run crons frequently and update, update, update! After you've spent a year or two with Drupal, and you're comfortable with the CMS, then look for a second edition of Cracking Drupal.

This is an excellent book which I can see many people / organizations referring to in the near future with more and more of our web-sites moving towards content management-based systems. The author does a great job at taking the reader from intro to what the CMS is and how it works, down to how to secure your settings and even gets into some code-level security. I would recommend this book to anyone who is looking to create or start an online business using Drupal.

I've been working with Drupal for 5 years now and have read several books about Drupal. By far this is the most enjoyable to read. It isn't dry but rather easy to read and I've learned quite a bit about security issues.

Only problems are the author talks about some Vulnerable module several time in the the book and so far (haven't finished the book yet) there are no code samples from that module. Example on page 60: "The Vulnerable module contains an example of this problem" . However the author doesn't go into any details on what the example is. I would like to see some code snippets on the Vulnerable module. I have yet to download and look at the module, but I wish it wasn't a requirement. The book is not very long so it could use some more pages of code.

Also other strangeness I noticed the author keeps switching between "he" and "she" throughout the book. Not sure why.

Useful guide to use for Drupal site administrators.

Highlights potential security vulnerabilities and other places that might cause issues in one's Drupal site.